ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Daschinsky <ivanda...@gmail.com>
Subject Re: Setting IGNITE_TO_STRING_INCLUDE_SENSITIVE=false prevents VM Arguments output
Date Thu, 01 Jul 2021 16:28:53 GMT
This is security through obscurity, an obvious and a well-known anti
pattern. I suppose that printing jvm options, that is registered by
@IgniteSystemProperty annotation is an ideal variant

чт, 1 июл. 2021 г., 19:25 Valentin Kulichenko <valentin.kulichenko@gmail.com
>:

> Folks,
>
> *Anything* that a user provides to the system can potentially be considered
> sensitive information. This includes the VM arguments. We can't predict
> what exactly one can put there, so let's not make assumptions.
>
> When dealing with security, we should be as conservative as possible. That
> said, I do not even agree with the pattern approach - there might be a
> user's system property named IGNITE_xxx. It is also possible for our
> internal properties to contain sensitive information (not all of them are
> boolean flags).
>
> The only option I see is to print out specific properties for which we
> agree that they are safe. For example, we can introduce an annotation that
> would mark "safe" properties in IgniteSystemProperties; we will then print
> out only those that are marked with the annotation.
>
> -Val
>
>
> On Thu, Jul 1, 2021 at 7:07 AM Вячеслав Коптилин <slava.koptilin@gmail.com
> >
> wrote:
>
> > Hello Ivan,
> >
> > > At least, we could just hide params that match a specific pattern
> > Yes, we can filter out all vm options that do not relate to Ignite, for
> > instance.
> >
> > > Ilya, go ahead, file ticket and prepare a PR.
> > Please do not rush. Let's listen to other community members. This
> question
> > is about security and it should not be discussed in a hurry (even though
> it
> > looks like an obvious thing).
> >
> > Thanks,
> > S.
> >
> > чт, 1 июл. 2021 г. в 16:55, Ivan Daschinsky <ivandasch@gmail.com>:
> >
> > > I suppose, that all normal users should not suffer from this
> > restrictions.
> > > Nobody will pass password using jvm options. It is absolutely insane,
> > > normal users pass passwords using environment variables.
> > >
> > > At least, we could just hide params that match specific pattern
> > >
> > > Ilya, go ahead, file ticket and prepare a PR.
> > >
> > > чт, 1 июл. 2021 г., 16:45 Вячеслав Коптилин <slava.koptilin@gmail.com
> >:
> > >
> > > > Hello,
> > > >
> > > > Unfortunately, the user can pass its own system properties via JVM
> > > options
> > > > as follows: -DMY_SECRET_PASSWORD=123
> > > > It does not seem, this approach is the best one. However, the user
> > should
> > > > have a "kostyl" in order to hide these properties and values in the
> log
> > > > file, IMHO.
> > > >
> > > > Thanks,
> > > > S.
> > > >
> > > > ср, 30 июн. 2021 г. в 22:52, Shishkov Ilya <shishkovilja@gmail.com>:
> > > >
> > > > > Hi Igniters,
> > > > >
> > > > > This feature [1, 2] prevents logging of the VM arguments when
> > > > > IGNITE_TO_STRING_INCLUDE_SENSITIVE option is set to false. Till
> now,
> > > > method
> > > > > IgniteKernal#ackVmArguments remains mostly the same [3].
> > > > >
> > > > > Is this behaviour actual now? Often, we should be able to get from
> > logs
> > > > the
> > > > > actual VM options used at startup even if output of sensitive data
> is
> > > > > restricted.
> > > > >
> > > > > 1. https://issues.apache.org/jira/browse/IGNITE-4991
> > > > > 2.
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/ignite/pull/2428/commits/4f90b6fd77bd23fa818620f0757b792ba388ef93
> > > > > 3.
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/ignite/blob/master/modules/core/src/main/java/org/apache/ignite/internal/IgniteKernal.java#L3002
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message