Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-40765

cbbackupmgr shouldn't log/collect sensitive information

    XMLWordPrintable

    Details

    • Triage:
      Untriaged
    • Story Points:
      1
    • Is this a Regression?:
      No

      Description

      What's the issue?
      There is a couple of places where 'cbbackupmgr' may implicitly scrape sensitive information where it shouldn't. For example:
      1) 'cbbackupmgr' logs the S3 access keys at the beginning of running a sub-command (6.6.x+ only)
      2) Some of the (platform specific) commands run when collecting system information may collect the command line arguments of other processes on the system.

      Steps to reproduce #1
      1) Install Couchbase server 6.6.0-7897 on a windows server 2016
      2) Run backup to S3.
      3) Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text.

       
       -c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2 
      2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709
      2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200
      2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200
      2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
      2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
      2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200
      2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200
      2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196
      2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339
      2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration
      2020-08-04T22:48:59.477+00:00 (Rest) 
      

      We need to hide it as in password
      This issue prevent upload logs to MB-40764

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          thuan Thuan Nguyen created issue -
          pvarley Patrick Varley made changes -
          Field Original Value New Value
          Assignee Patrick Varley [ pvarley ] James Lee [ james.lee ]
          james.lee James Lee made changes -
          Summary [CBM] cbbackupmgr collect-logs should not display raw access-key and secret-key in cbbackupmgr log file cbbackupmgr 'cmdLineArgsToString' does not correctly mask object store credentials
          james.lee James Lee made changes -
          Fix Version/s 6.6.0 [ 16787 ]
          pvarley Patrick Varley made changes -
          Due Date 05/Aug/20
          james.lee James Lee made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          till Till Westmann made changes -
          Link This issue blocks MB-38724 [ MB-38724 ]
          till Till Westmann made changes -
          Labels approved-for-6.6.0
          james.lee James Lee made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]
          james.lee James Lee made changes -
          Assignee James Lee [ james.lee ] Thuan Nguyen [ thuan ]
          thuan Thuan Nguyen made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          thuan Thuan Nguyen made changes -
          Attachment ss 2020-08-05 at 5.23.30 PM.png [ 103181 ]
          arunkumar Arunkumar Senthilnathan made changes -
          Assignee Thuan Nguyen [ thuan ] James Lee [ james.lee ]
          james.lee James Lee made changes -
          Link This issue relates to MB-40783 [ MB-40783 ]
          james.lee James Lee made changes -
          james.lee James Lee made changes -
          james.lee James Lee made changes -
          james.lee James Lee made changes -
          Assignee James Lee [ james.lee ] Thuan Nguyen [ thuan ]
          Resolution Fixed [ 1 ]
          Status Reopened [ 4 ] Resolved [ 5 ]
          arunkumar Arunkumar Senthilnathan made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          wayne Wayne Siu made changes -
          Link This issue relates to CBD-3571 [ CBD-3571 ]
          james.lee James Lee made changes -
          Assignee Thuan Nguyen [ thuan ] James Lee [ james.lee ]
          Resolution Fixed [ 1 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          james.lee James Lee made changes -
          Fix Version/s 6.5.2 [ 17223 ]
          wayne Wayne Siu made changes -
          Link This issue blocks MB-42583 [ MB-42583 ]
          wayne Wayne Siu made changes -
          Labels approved-for-6.6.0 approved-for-6.5.2 approved-for-6.6.0
          james.lee James Lee made changes -
          Summary cbbackupmgr 'cmdLineArgsToString' does not correctly mask object store credentials cbbackupmgr shouldn't log/collect sensitive information
          james.lee James Lee made changes -
          Description Install Couchbase server 6.6.0-7897 on a windows server 2016
          Run backup to S3.
          Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text.
          {noformat}

           -c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2
          2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709
          2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200
          2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200
          2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
          2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
          2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200
          2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200
          2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196
          2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339
          2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration
          2020-08-04T22:48:59.477+00:00 (Rest)
          {noformat}

          We need to hide it as in password
          This issue prevent upload logs to MB-40764
          +What's the issue?+
          There is a couple of places where '{{cbbackupmgr}}' may implicitly scrape sensitive information where it shouldn't. For example:
          1) '{{cbbackupmgr}}' logs the S3 access keys at the beginning of running a sub-command (6.6.x+ only)
          2) Some of the (platform specific) commands run when collecting system information may collect the command line arguments of other processes on the system.

          +Steps to reproduce #1+
          1) Install Couchbase server 6.6.0-7897 on a windows server 2016
          2) Run backup to S3.
          3) Run collect-logs in S3 using cbbackupmgr, logs collect ok but it display all S3 credentials in raw text.
          {noformat}

           -c localhost -u <ud>Administrator</ud> -p ******** -r backup -a s3://bkrepo --obj-access-key-id AKIAJP --obj-secret-access-key xzsNfaTXZWBf --obj-staging-dir /root/bk-staging --obj-region us-west-2
          2020-08-04T22:48:59.413+00:00 (Cmd) mounted archive with id: 2b4c1837-86c1-4275-8934-9d138b2f7709
          2020-08-04T22:48:59.415+00:00 (Rest) GET http://localhost:8091/pools 200
          2020-08-04T22:48:59.419+00:00 (Rest) GET http://localhost:8091/pools/default 200
          2020-08-04T22:48:59.424+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
          2020-08-04T22:48:59.468+00:00 (Rest) GET http://localhost:8091/pools/default/buckets 200
          2020-08-04T22:48:59.473+00:00 (Rest) GET http://localhost:8091/pools/default/buckets/travel-sample 200
          2020-08-04T22:48:59.475+00:00 (Rest) GET http://localhost:8091/pools 200
          2020-08-04T22:48:59.475+00:00 (Cmd) Backing up cluster 759547ebd21e733e4173ad953bb0b196
          2020-08-04T22:48:59.476+00:00 (Stats) Starting stat gathering - stat timestamp: 1596581339
          2020-08-04T22:48:59.476+00:00 (Plan) Transferring cluster configuration
          2020-08-04T22:48:59.477+00:00 (Rest)
          {noformat}

          We need to hide it as in password
          This issue prevent upload logs to MB-40764
          james.lee James Lee made changes -
          Status Reopened [ 4 ] In Progress [ 3 ]
          james.lee James Lee made changes -
          Assignee James Lee [ james.lee ] Thuan Nguyen [ thuan ]
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]
          james.lee James Lee made changes -
          Assignee Thuan Nguyen [ thuan ] James Lee [ james.lee ]
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          james.lee James Lee made changes -
          Assignee James Lee [ james.lee ] Thuan Nguyen [ thuan ]
          Resolution Fixed [ 1 ]
          Status Reopened [ 4 ] Resolved [ 5 ]
          asad.zaidi Asad Zaidi made changes -
          asad.zaidi Asad Zaidi made changes -
          asad.zaidi Asad Zaidi made changes -
          arunkumar Arunkumar Senthilnathan made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            Assignee:
            thuan Thuan Nguyen
            Reporter:
            thuan Thuan Nguyen
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved:

                PagerDuty