Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[improve][broker/proxy] Optionally prevent role/originalPrincipal logging #23386

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

[improve][broker/proxy] Optionally prevent role/originalPrincipal logging #23386

wants to merge 9 commits into from

Conversation

KannarFr
Copy link
Contributor

@KannarFr KannarFr commented Oct 1, 2024

Motivation

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

If I missed some logs, please share them.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 1, 2024
@lhotari
Copy link
Member

lhotari commented Oct 1, 2024
edited
Loading

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

Do you have a chance to share some details of the use case where this is needed? Does the role contain sensitive information? Is this a compliance requirement to not log it?

@KannarFr
Copy link
Contributor Author

KannarFr commented Oct 2, 2024
edited
Loading

Add option in broker and proxy to optionally prevent them from logging role or orignalPrincipal. If the option is activated they will log [REDACTED].

Do you have a chance to share some details of the use case where this is needed? Does the role contain sensitive information? Is this a compliance requirement to not log it?

We use token-based authN/authZ, so the role contains the token. This PR will remove logging them and reduce log storage as we produce like 30 log/s just for logging role content (with a 500bytes token).

@KannarFr KannarFr force-pushed the optionallyPreventRoleLogging branch from 7e68070 to 29687ce Compare October 3, 2024 11:04
@KannarFr
Copy link
Contributor Author

KannarFr commented Oct 3, 2024

@lhotari I defined two configuration keys for broker and proxy. One anonymizes using SHA-256. The other put REDACTED. Is that ok?

@lhotari
Copy link
Member

lhotari commented Oct 3, 2024

@lhotari I defined two configuration keys for broker and proxy. One anonymizes using SHA-256. The other put REDACTED. Is that ok?

@KannarFr good progress, I added review comments.

lhotari
lhotari reviewed Oct 15, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @KannarFr! 2 minor comments remaining. It would be good to document this as a PIP since most new features are documented that way. You can take a minimal approach for the PIP document and cover the relevant details that are provided in this PR.

...c/main/java/org/apache/pulsar/common/configuration/anonymizer/DefaultRoleAnonymizerType.java Show resolved Hide resolved
...pache/pulsar/common/configuration/anonymizer/DefaultAuthenticationRoleLoggingAnonymizer.java Outdated Show resolved Hide resolved
@github-actions github-actions bot added the PIP label Oct 17, 2024
@KannarFr
Copy link
Contributor Author

Great work @KannarFr! 2 minor comments remaining. It would be good to document this as a PIP since most new features are documented that way. You can take a minimal approach for the PIP document and cover the relevant details that are provided in this PR.

Done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs PIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KannarFr @lhotari