Skip to content

Commit

Permalink
Mask all secrete parameters in worker section, fix fluent#1553
Browse files Browse the repository at this point in the history
  • Loading branch information
Yuki Ito committed May 22, 2017
1 parent 155ceac commit 0838e65
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 8 deletions.
6 changes: 5 additions & 1 deletion lib/fluent/engine.rb
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ def initialize
@suppress_config_dump = false

@system_config = SystemConfig.new

@dry_run_mode = false
end

MAINLOOP_SLEEP_INTERVAL = 0.3
Expand All @@ -54,6 +56,8 @@ def initialize
attr_reader :matches, :sources
attr_reader :system_config

attr_accessor :dry_run_mode

def init(system_config)
@system_config = system_config

Expand Down Expand Up @@ -157,7 +161,7 @@ def configure(conf)
$log.enable_event(true) if @log_event_router

unless @suppress_config_dump
$log.info :worker0, "using configuration file: #{conf.to_s.rstrip}"
$log.info :supervisor, "using configuration file: #{conf.to_s.rstrip}"
end
end

Expand Down
3 changes: 3 additions & 0 deletions lib/fluent/root_agent.rb
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ def configure(conf)
raise ConfigError, "worker id #{target_worker_id} specified by <worker> directive is not allowed. Available worker id is between 0 and #{(Fluent::Engine.system_config.workers - 1)}"
end

## On dry_run mode, all worker sections have to be configured on supervisor (recognized as worker_id = 0).
target_worker_id = 0 if Fluent::Engine.dry_run_mode

e.elements.each do |elem|
unless ['source', 'match', 'filter', 'label'].include?(elem.name)
raise ConfigError, "<worker> section cannot have <#{elem.name}> directive"
Expand Down
26 changes: 21 additions & 5 deletions lib/fluent/supervisor.rb
Original file line number Diff line number Diff line change
Expand Up @@ -457,7 +457,7 @@ def run_supervisor
end
end

dry_run if @dry_run
dry_run_cmd if @dry_run
supervise
end

Expand Down Expand Up @@ -514,24 +514,40 @@ def create_socket_manager
ENV['SERVERENGINE_SOCKETMANAGER_PATH'] = socket_manager_path.to_s
end

def dry_run
def dry_run_cmd
$log.info "starting fluentd-#{Fluent::VERSION} as dry run mode"
change_privilege
init_engine
run_configure
@system_config.suppress_config_dump = true
dry_run
exit 0
rescue => e
$log.error "dry run failed: #{e}"
exit 1
end

## Set Engine's dry_run_mode true to override all target_id of worker sections
def dry_run
begin
Fluent::Engine.dry_run_mode = true
change_privilege
init_engine
run_configure
Fluent::Engine.dry_run_mode = false
rescue Fluent::ConfigError => e
$log.error "config error", file: @config_path, error: e
$log.debug_backtrace
end
end

def show_plugin_config
name, type = @show_plugin_config.split(":") # input:tail
$log.info "Use fluent-plugin-config-format --format=txt #{name} #{type}"
exit 0
end

def supervise
# Make dumpable conf, which is set corresponding_proxies for all elements in all worker sections
dry_run

Process.setproctitle("supervisor:#{@process_name}") if @process_name
$log.info "starting fluentd-#{Fluent::VERSION}", pid: Process.pid

Expand Down
47 changes: 45 additions & 2 deletions test/command/test_fluentd.rb
Original file line number Diff line number Diff line change
Expand Up @@ -442,8 +442,7 @@ def assert_fluentd_fails_to_start(cmdline, *pattern_list, timeout: 10)

assert_fluentd_fails_to_start(
create_cmdline(conf_path, "-p", File.dirname(plugin_path)),
"error_class=SyntaxError",
"in_buggy.rb:5: syntax error, unexpected end-of-input, expecting keyword_end",
"in_buggy.rb:5: syntax error, unexpected end-of-input, expecting keyword_end (SyntaxError)"
)
end
end
Expand Down Expand Up @@ -821,4 +820,48 @@ def write(chunk)
)
end
end

sub_test_case 'config dump' do
test 'all secret parameters in worker section is sealed' do
script = <<-EOC
require 'fluent/plugin/input'
module Fluent::Plugin
class FakeInput < Input
Fluent::Plugin.register_input('fake', self)
config_param :secret, :string, secret: true
end
end
EOC
plugin_path = create_plugin_file('in_fake.rb', script)

conf = <<CONF
<system>
workers 2
</system>
<worker 0>
<source>
@type fake
secret secret0
</source>
<match>
@type null
</match>
</worker>
<worker 1>
<source>
@type fake
secret secret1
</source>
<match>
@type null
</match>
</worker>
CONF
conf_path = create_conf_file('secret_in_worker.conf', conf)
assert File.exist?(conf_path)

assert_log_matches(create_cmdline(conf_path, "-p", File.dirname(plugin_path)),
"secret xxxxxx", patterns_not_match: ["secret secret0", "secret secret1"])
end
end
end

0 comments on commit 0838e65

Please sign in to comment.