Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clickhouse operator Logs Security issue : Password hash data getting printed in logs #1416

Closed
nnaik25 opened this issue May 9, 2024 · 1 comment
Closed

Clickhouse operator Logs Security issue : Password hash data getting printed in logs #1416

nnaik25 opened this issue May 9, 2024 · 1 comment

Comments

@nnaik25
Copy link

nnaik25 commented May 9, 2024

Environment - Kubenetes

Context:

  1. Below yaml is used for clickhouse deployment

https://github.com/Altinity/clickhouse-operator/blob/master/docs/chi-examples/01-simple-layout-01-1shard-1repl.yaml

  1. Below yaml is used for clickhouse operator deployment

https://github.com/Altinity/clickhouse-operator/blob/master/deploy/helm/clickhouse-operator/values.yaml

Issue :

During clickhouse operator pod startup, we see below log printed that contains Password hash info ( https://github.com/Altinity/clickhouse-operator/blob/master/docs/chi-examples/01-simple-layout-01-1shard-1repl.yaml#L9) .
This is an security issue

Requirement:

Is there a way to supress below log??

clickhouse-operator/pkg/controller/chi/worker.go

Line 564 in bbbf66a

w.a.V(1).M(chi).Info(

I0509 07:00:44.416333 1 worker.go:559] dev1-ranch2/htel-clickhouse-server:logCHI non-normalized yet (native) new start--------------------------------------------:
non-normalized yet (native) new
logCHI kind: ClickHouseInstallation
apiversion: clickhouse.altinity.com/v1
metadata:
name: clickhouse-server
generatename: ""
selflink: ""
uid: 1c58fabd-0d0f-4898-8dee-1e0721dc7050
resourceversion: "165597788"
generation: 2
creationtimestamp: "2024-04-29T23:49:12Z"
deletiontimestamp: null
deletiongraceperiodseconds: null
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"clickhouse.altinity.com/v1","kind":"ClickHouseInstallation","metadata":{"annotations":{},"name":"clickhouse-server","namespace":"xxxxxx"},"spec":{"configuration":{"clusters":[{"layout":{"replicasCount":1,"shardsCount":1},"name":"xxxx","templates":{"podTemplate":"pod-template-with-volumes"}}],"users":{"clickhouse_operator/networks/ip":["::/0"],"clickhouse_operator/password_sha256_hex":"7e734de19505e2509bb9a11dad2c45cfcdfdacedb581c385bb286f9008092c65","clickhouse_operator/profile":"clickhouse_operator","clickhouse_operator/quota":"default
@nnaik25 nnaik25 changed the title Clickhouse operator logging issue : Password hash data getting printed in logs Clickhouse operator Logs Security issue : Password hash data getting printed in logs May 9, 2024
@alex-zaitsev
Copy link
Member

Hi @nnaik25 ,

  1. This is hash, so it is not a security issue.
  2. Same hash appears in Kuberentes resources as well
  3. If you want to make it more secure, consider using Kuberentes secrets: https://github.com/Altinity/clickhouse-operator/blob/master/docs/security_hardening.md#using-secrets

@alex-zaitsev alex-zaitsev closed this as not planned Won't fix, can't repro, duplicate, stale May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex-zaitsev @nnaik25