Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fluentd v0.14.15 cannot mask secret parameter for multi workers on boot #1553

Closed
okkez opened this issue Apr 27, 2017 · 1 comment
Closed

Fluentd v0.14.15 cannot mask secret parameter for multi workers on boot #1553

okkez opened this issue Apr 27, 2017 · 1 comment
Assignees
@mururu
Labels
bug Something isn't working v0.14

Comments

@okkez
Copy link
Contributor

okkez commented Apr 27, 2017

Fluentd v0.14.15 cannot mask secret parameter for multi workers on boot.

sample plugin:

require "fluent/plugin/input"

module Fluent
  module Plugin
    class Fake < Input
      Fluent::Plugin.register_input("fake", self)

      config_param :secret, :string, secret: true
    end
  end
end

config for single worker:

<source>
  @type fake
  secret very-secret-string0
</source>

<match>
  @type null
</match>

log for single worker:

2017-04-27 11:22:45 +0900 [info]: reading config file path="fake2.conf"
2017-04-27 11:22:45 +0900 [info]: starting fluentd-0.14.15 pid=29398
2017-04-27 11:22:45 +0900 [info]: spawn command to main:  cmdline=["/home/kenji/.rbenv/versions/2.4.1/bin/ruby", "-Eascii-8bit:ascii-8bit", "-rbundler/setup", "/home/kenji/.rbenv/versions/2.4.1/bin/fluentd", "-c", "fake2.conf", "--under-supervisor"]
2017-04-27 11:22:45 +0900 [info]: gem 'fluentd' version '0.14.15'
2017-04-27 11:22:45 +0900 [info]: gem 'fluent-plugin-github-activities' version '0.7.1'
2017-04-27 11:22:45 +0900 [info]: adding match pattern="**" type="null"
2017-04-27 11:22:45 +0900 [info]: adding source type="fake"
2017-04-27 11:22:45 +0900 [info]: using configuration file: <ROOT>
  <source>
    @type fake
    secret xxxxxx
  </source>
  <match>
    @type null
  </match>
</ROOT>
2017-04-27 11:22:45 +0900 [info]: #0 starting fluentd worker pid=29420 ppid=29398 worker=0
2017-04-27 11:22:45 +0900 [info]: #0 fluentd worker is now running worker=0

config for multi workers:

<system>
  workers 3
</system>

<worker 0>
  <source>
    @type fake
    secret very-secret-string0
  </source>
  <match>
    @type null
  </match>
</worker>

<worker 1>
  <source>
    @type fake
    secret very-secret-string1
  </source>
  <match>
    @type null
  </match>
</worker>

<worker 2>
  <source>
    @type fake
    secret very-secret-string2
  </source>
  <match>
    @type null
  </match>
</worker>

log for multi workers:

2017-04-27 11:23:58 +0900 [info]: reading config file path="fake.conf"
2017-04-27 11:23:58 +0900 [info]: starting fluentd-0.14.15 pid=29533
2017-04-27 11:23:58 +0900 [info]: spawn command to main:  cmdline=["/home/kenji/.rbenv/versions/2.4.1/bin/ruby", "-Eascii-8bit:ascii-8bit", "-rbundler/setup", "/home/kenji/.rbenv/versions/2.4.1/bin/fluentd", "-c", "fake.conf", "--under-supervisor"]
2017-04-27 11:23:59 +0900 [info]: #1 adding match pattern="**" type="null"
2017-04-27 11:23:59 +0900 [info]: gem 'fluentd' version '0.14.15'
2017-04-27 11:23:59 +0900 [info]: gem 'fluent-plugin-github-activities' version '0.7.1'
2017-04-27 11:23:59 +0900 [info]: #0 adding match pattern="**" type="null"
2017-04-27 11:23:59 +0900 [info]: #1 adding source type="fake"
2017-04-27 11:23:59 +0900 [info]: #1 starting fluentd worker pid=29556 ppid=29533 worker=1
2017-04-27 11:23:59 +0900 [info]: #1 fluentd worker is now running worker=1
2017-04-27 11:23:59 +0900 [info]: #0 adding source type="fake"
2017-04-27 11:23:59 +0900 [info]: using configuration file: <ROOT>
  <system>
    workers 3
  </system>
  <worker 0>
    <source>
      @type fake
      secret xxxxxx
    </source>
    <match>
      @type null
    </match>
  </worker>
  <worker 1>
    <source>
      @type fake
      secret very-secret-string1
    </source>
    <match>
      @type null
    </match>
  </worker>
  <worker 2>
    <source>
      @type fake
      secret very-secret-string2
    </source>
    <match>
      @type null
    </match>
  </worker>
</ROOT>
2017-04-27 11:23:59 +0900 [info]: #0 starting fluentd worker pid=29555 ppid=29533 worker=0
2017-04-27 11:23:59 +0900 [info]: #0 fluentd worker is now running worker=0
2017-04-27 11:23:59 +0900 [info]: #2 adding match pattern="**" type="null"
2017-04-27 11:23:59 +0900 [info]: #2 adding source type="fake"
2017-04-27 11:23:59 +0900 [info]: #2 starting fluentd worker pid=29558 ppid=29533 worker=2
2017-04-27 11:23:59 +0900 [info]: #2 fluentd worker is now running worker=2

Fluentd masks secret parameter for only worker 0.
Fluentd displays secret parameter for worker 1 and worker 2.

I expect that all secret parameters are masked.

I investigate as following:

@corresponding_proxies is empty in Fluent::Config::Element#secret_param? for worker 1 and worker 2. @corresponding_proxies is not empty when worker 0.

Dump configuration on boot.
This is only for worker 0. Worker 0 does not configure plugins for worker 1 and worker 2.
@mururu
Copy link
Member

mururu commented Apr 27, 2017

Oh, good catch!

@mururu mururu added bug Something isn't working v0.14 labels Apr 27, 2017
@mururu mururu self-assigned this Apr 27, 2017
mururu pushed a commit to mururu/fluentd that referenced this issue May 22, 2017
Mask all secrete parameters in worker section, fix fluent#1553
0838e65
repeatedly added a commit that referenced this issue May 26, 2017
@repeatedly
Merge pull request #1580 from mururu/fix-1553
817691e 
Mask all secret parameters in worker section, fix #1553
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mururu mururu

Labels
bug Something isn't working v0.14
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@okkez @mururu