Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Redact S3 credentials from logs #10811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Redact S3 credentials from logs #10811

wants to merge 1 commit into from

Conversation

jerome079
Copy link

Description

This PR addresses a security issue where S3 credentials used for Secondary Storage were being logged in plain text in CloudStack logs (access.log and management-server.log). Even when debug logging is enabled, secret credentials such as accessKey and secretKey should never appear in logs.

Fix details:

  • Redacts the accessKey and secretKey from the S3TO object before logging DownloadCommand in NfsSecondaryStorageResource.java.
  • Adds a unit test in NfsSecondaryStorageResourceTest.java to verify that credentials are redacted.

Steps to reproduce the issue:

  1. Deploy CloudStack 4.20.0.0 with KVM and Ceph RGW S3 as Secondary Storage.
  2. Create a Secondary Storage using S3 credentials.
  3. Observe logs in /var/log/cloudstack/management/access.log or management-server.log — credentials will be printed.

Fixes: #10339

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • test (unit or integration test code)

Bug Severity

  • Major

How Has This Been Tested?

  • Added a unit test that mocks S3TO and verifies that setAccessKey("***REDACTED***") and setSecretKey("***REDACTED***") are called during executeRequest.

@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented May 4, 2025

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

DaanHoogland
DaanHoogland reviewed May 5, 2025
View reviewed changes
...server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
Comment on lines +288 to +293
DataStoreTO store = safeCmd.getDataStore();
if (store instanceof S3TO) {
((S3TO) store).setAccessKey("***REDACTED***");
((S3TO) store).setSecretKey("***REDACTED***");
}
logger.debug(LogUtils.logGsonWithoutException("Executing command %s [%s].", safeCmd.getClass().getSimpleName(), safeCmd));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code looks good, but it seems this should be in LogUtils. There is other obfuscation code also scattered across the code base, so definately not a 👎 but a mere suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DaanHoogland DaanHoogland DaanHoogland left review comments

Assignees
No one assigned
Labels
component:secondary-storage component:ssvm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

S3 credentials leak in log files
2 participants
@jerome079 @DaanHoogland