Description of problem (please be detailed as possible and provide log snippets): noobaa-operator logs exposes aws secret: ~~~ time="2024-04-24T15:35:24Z" level=info msg="✈️ RPC: account.check_external_connection() Request: {Name:aws-namespacestore EndpointType:AWS Endpoint:https://<ENDPOINT> Identity:<XXX> Secret:<YYY> AuthMethod: AWSSTSARN: IgnoreNameAlreadyExist:false}" ~~~ Version of all relevant components (if applicable): ODF 4.12 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No, however sensitive data is exposed in plain text in the logs. This poses a potential risk. Any user with logs can access bucket. Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No I see a similar issue discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1846759. The bug talk about noobaa-core logs contain aws secret and access key. It was fixed in 4.5. Steps to Reproduce: 1. Deploy ODF 2. Check noobaa-operator logs
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:4591
Hi Liran, Can this fix be backported to 4.15? Regards, Sonal Arora
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days