Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log-backup: secrets may be directly logging to log when --send-credentials-to-tikv=false not set during starting log backup #55273

Closed
YuJuncen opened this issue Aug 7, 2024 · 0 comments · Fixed by #55622
Closed

log-backup: secrets may be directly logging to log when --send-credentials-to-tikv=false not set during starting log backup #55273

YuJuncen opened this issue Aug 7, 2024 · 0 comments · Fixed by #55622
Labels
affects-6.5 affects-7.1 affects-7.5 affects-8.1 component/br This issue is related to BR of TiDB. severity/major type/bug The issue is confirmed as a bug.

Comments

@YuJuncen
Copy link
Contributor

YuJuncen commented Aug 7, 2024
edited
Loading

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

  1. Start a log backup task:
$ tiup br:v8.1.0 log start -u upd-1:2379 --task-name fiolvit -s (s3altpath test)
Starting component `br`: /root/.tiup/components/br/v8.1.0/br log start -u upd-1:2379 --task-name fiolvit -s s3://astro/test?endpoint=http://minio:9000
Detail BR log in /tmp/br.log.2024-08-07T17.45.19+0800
[2024/08/07 17:45:19.859 +08:00] [INFO] [collector.go:77] ["log start"] [streamTaskInfo="{taskName=fiolvit,startTs=451680354413576193,endTS=999999999999999999,tableFilter=*.*}"] [pausing=false] [rangeCount=2]
[2024/08/07 17:45:23.269 +08:00] [INFO] [collector.go:77] ["log start success summary"] [total-ranges=0] [ranges-succeed=0] [ranges-failed=0] [backup-checksum=32.966226ms] [total-take=3.715794709s]

And then, check the TiDB log.

2. What did you expect to see? (Required)

It shouldn't contain sensetive information.

3. What did you see instead (Required)

[2024/08/07 17:45:19.844 +08:00] [INFO] [advancer.go:399] ["added event"] [task="storage:<s3:<endpoint:\"http://minio:9000\" region:\"us-east-1\" bucket:\"astro\" prefix:\"test\" access_key:\"minioadmin\" secret_access_key:\"minioadmin\" force_path_style:true > > start_ts:451680354413576193 end_ts:999999999999999999 name:\"fiolvit\" table_filter:\"*.*\" compression_type:ZSTD "] [ranges="{[6D, 6E), [74, 75)}"] [current-checkpoint=451680188790996992]

Notice here, our secret key was printed:

... access_key:\"minioadmin\" secret_access_key:\"minioadmin\" ...

4. What is your TiDB version? (Required)

Current master.

Note: It is always unsafe to enable --send-credentials-to-tikv when starting log backup because: it will store the credentials to PD, and won't rotate them. Then, when the session key expired, there is no way to refresh them(Also anyone that can access PD can query them...). Authorize by IAM roles or other context of the TiKV node are more recommended in productive environment.
@YuJuncen YuJuncen added the type/bug The issue is confirmed as a bug. label Aug 7, 2024
@BornChanger BornChanger added component/br This issue is related to BR of TiDB. severity/major labels Aug 7, 2024
@RidRisR RidRisR mentioned this issue Aug 23, 2024
Merged
13 tasks
@ti-chi-bot ti-chi-bot bot closed this as completed in 51ffa22 Aug 28, 2024
This was referenced Aug 30, 2024
Open
Open
Merged
Open
ti-chi-bot bot pushed a commit that referenced this issue Sep 5, 2024
@ti-chi-bot
br: redact ak/sk in logging (#55622) (#55779)
390215e 
close #55273
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-6.5 affects-7.1 affects-7.5 affects-8.1 component/br This issue is related to BR of TiDB. severity/major type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

br: redact ak/sk in logging RidRisR/tidb
2 participants
@YuJuncen @BornChanger