Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

log-backup: secrets may be directly logging to log when --send-credentials-to-tikv=false not set during starting log backup #55273

Closed
YuJuncen opened this issue Aug 7, 2024 · 0 comments · Fixed by #55622
Labels
affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. component/br This issue is related to BR of TiDB. severity/major type/bug The issue is confirmed as a bug.

Comments

@YuJuncen
Copy link
Contributor

YuJuncen commented Aug 7, 2024

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

  1. Start a log backup task:
$ tiup br:v8.1.0 log start -u upd-1:2379 --task-name fiolvit -s (s3altpath test)
Starting component `br`: /root/.tiup/components/br/v8.1.0/br log start -u upd-1:2379 --task-name fiolvit -s s3://astro/test?endpoint=http://minio:9000
Detail BR log in /tmp/br.log.2024-08-07T17.45.19+0800
[2024/08/07 17:45:19.859 +08:00] [INFO] [collector.go:77] ["log start"] [streamTaskInfo="{taskName=fiolvit,startTs=451680354413576193,endTS=999999999999999999,tableFilter=*.*}"] [pausing=false] [rangeCount=2]
[2024/08/07 17:45:23.269 +08:00] [INFO] [collector.go:77] ["log start success summary"] [total-ranges=0] [ranges-succeed=0] [ranges-failed=0] [backup-checksum=32.966226ms] [total-take=3.715794709s]

And then, check the TiDB log.

2. What did you expect to see? (Required)

It shouldn't contain sensetive information.

3. What did you see instead (Required)

[2024/08/07 17:45:19.844 +08:00] [INFO] [advancer.go:399] ["added event"] [task="storage:<s3:<endpoint:\"http://minio:9000\" region:\"us-east-1\" bucket:\"astro\" prefix:\"test\" access_key:\"minioadmin\" secret_access_key:\"minioadmin\" force_path_style:true > > start_ts:451680354413576193 end_ts:999999999999999999 name:\"fiolvit\" table_filter:\"*.*\" compression_type:ZSTD "] [ranges="{[6D, 6E), [74, 75)}"] [current-checkpoint=451680188790996992]

Notice here, our secret key was printed:

... access_key:\"minioadmin\" secret_access_key:\"minioadmin\" ...

4. What is your TiDB version? (Required)

Current master.

Note: It is always unsafe to enable --send-credentials-to-tikv when starting log backup because: it will store the credentials to PD, and won't rotate them. Then, when the session key expired, there is no way to refresh them(Also anyone that can access PD can query them...). Authorize by IAM roles or other context of the TiKV node are more recommended in productive environment.

@YuJuncen YuJuncen added the type/bug The issue is confirmed as a bug. label Aug 7, 2024
@BornChanger BornChanger added component/br This issue is related to BR of TiDB. severity/major labels Aug 7, 2024
@BornChanger BornChanger added affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. and removed may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 labels Aug 7, 2024
@ti-chi-bot ti-chi-bot bot closed this as completed in 51ffa22 Aug 28, 2024
ti-chi-bot bot pushed a commit that referenced this issue Sep 5, 2024
ti-chi-bot bot pushed a commit that referenced this issue Sep 27, 2024
ti-chi-bot bot pushed a commit that referenced this issue Nov 11, 2024
ti-chi-bot bot pushed a commit that referenced this issue Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. component/br This issue is related to BR of TiDB. severity/major type/bug The issue is confirmed as a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants