From 095509d3ee17445a6eeb29dc4913558aa7437586 Mon Sep 17 00:00:00 2001 From: Jason Bryan Date: Thu, 27 Jun 2024 15:52:11 -0400 Subject: [PATCH 1/5] Avoid logging ES credentials --- esrally/utils/process.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/esrally/utils/process.py b/esrally/utils/process.py index 18eb22c43..d29f9c090 100644 --- a/esrally/utils/process.py +++ b/esrally/utils/process.py @@ -17,6 +17,7 @@ import logging import os +import re import shlex import subprocess import time @@ -181,7 +182,13 @@ def find_all_other_rally_processes() -> List[psutil.Process]: def kill_all(predicate: Callable[[psutil.Process], bool]) -> None: def kill(p: psutil.Process): - logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, p.cmdline()) + # Do not leak Elasticsearch authentication credentials to the log + p_cmdline = p.cmdline() + for i, s in enumerate(p_cmdline): + if "--client-options" in s: + p_cmdline[i] = re.sub(r"basic_auth_password:'.+'", "basic_auth_password:'*****'", s) + p_cmdline[i] = re.sub(r"api_key:'.+'", "api_key:'*****'", s) + logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, p_cmdline) p.kill() # wait until process has terminated, at most 3 seconds. Otherwise we might run into race conditions with actor system # sockets that are still open. From d93f7fe39935e9d63517f2bc77e56b66288e6f5c Mon Sep 17 00:00:00 2001 From: Jason Bryan Date: Fri, 28 Jun 2024 13:00:06 -0400 Subject: [PATCH 2/5] Simplify by redacting the value for client options --- esrally/utils/process.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/esrally/utils/process.py b/esrally/utils/process.py index d29f9c090..164fc490d 100644 --- a/esrally/utils/process.py +++ b/esrally/utils/process.py @@ -182,12 +182,11 @@ def find_all_other_rally_processes() -> List[psutil.Process]: def kill_all(predicate: Callable[[psutil.Process], bool]) -> None: def kill(p: psutil.Process): - # Do not leak Elasticsearch authentication credentials to the log + # Redact client options as it contains sensitive information like passwords p_cmdline = p.cmdline() for i, s in enumerate(p_cmdline): if "--client-options" in s: - p_cmdline[i] = re.sub(r"basic_auth_password:'.+'", "basic_auth_password:'*****'", s) - p_cmdline[i] = re.sub(r"api_key:'.+'", "api_key:'*****'", s) + p_cmdline[i] = "=".join((s.split("=")[0], '"*****"')) logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, p_cmdline) p.kill() # wait until process has terminated, at most 3 seconds. Otherwise we might run into race conditions with actor system From 878fb2d976ae2885dd99e99934ace0c9eb93062b Mon Sep 17 00:00:00 2001 From: Jason Bryan Date: Fri, 28 Jun 2024 13:07:11 -0400 Subject: [PATCH 3/5] re import no longer needed --- esrally/utils/process.py | 1 - 1 file changed, 1 deletion(-) diff --git a/esrally/utils/process.py b/esrally/utils/process.py index 164fc490d..c0189b81a 100644 --- a/esrally/utils/process.py +++ b/esrally/utils/process.py @@ -17,7 +17,6 @@ import logging import os -import re import shlex import subprocess import time From d5a6508fdc9aae38c821e32dae738a41354e8e94 Mon Sep 17 00:00:00 2001 From: Jason Bryan Date: Fri, 28 Jun 2024 13:43:25 -0400 Subject: [PATCH 4/5] Refector and use a function --- esrally/utils/process.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/esrally/utils/process.py b/esrally/utils/process.py index c0189b81a..0380b79d6 100644 --- a/esrally/utils/process.py +++ b/esrally/utils/process.py @@ -179,14 +179,17 @@ def find_all_other_rally_processes() -> List[psutil.Process]: return others +def redact_cmdline(cmdline: list) -> List[str]: + """ + Redact client options in p.cmdline as it contains sensitive information like passwords + """ + + return ["=".join((value.split("=")[0], '"*****"')) if "--client-options" in value else value for value in cmdline] + + def kill_all(predicate: Callable[[psutil.Process], bool]) -> None: def kill(p: psutil.Process): - # Redact client options as it contains sensitive information like passwords - p_cmdline = p.cmdline() - for i, s in enumerate(p_cmdline): - if "--client-options" in s: - p_cmdline[i] = "=".join((s.split("=")[0], '"*****"')) - logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, p_cmdline) + logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, redact_cmdline(p.cmdline)) p.kill() # wait until process has terminated, at most 3 seconds. Otherwise we might run into race conditions with actor system # sockets that are still open. From f6a3a893d974ba51c4018c556602b2d570b47fcf Mon Sep 17 00:00:00 2001 From: Grzegorz Banasiak Date: Mon, 1 Jul 2024 13:42:01 +0200 Subject: [PATCH 5/5] Fix cmdline method --- esrally/utils/process.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/esrally/utils/process.py b/esrally/utils/process.py index 0380b79d6..6a283a723 100644 --- a/esrally/utils/process.py +++ b/esrally/utils/process.py @@ -181,7 +181,7 @@ def find_all_other_rally_processes() -> List[psutil.Process]: def redact_cmdline(cmdline: list) -> List[str]: """ - Redact client options in p.cmdline as it contains sensitive information like passwords + Redact client options in cmdline as it contains sensitive information like passwords """ return ["=".join((value.split("=")[0], '"*****"')) if "--client-options" in value else value for value in cmdline] @@ -189,7 +189,9 @@ def redact_cmdline(cmdline: list) -> List[str]: def kill_all(predicate: Callable[[psutil.Process], bool]) -> None: def kill(p: psutil.Process): - logging.getLogger(__name__).info("Killing lingering process with PID [%s] and command line [%s].", p.pid, redact_cmdline(p.cmdline)) + logging.getLogger(__name__).info( + "Killing lingering process with PID [%s] and command line [%s].", p.pid, redact_cmdline(p.cmdline()) + ) p.kill() # wait until process has terminated, at most 3 seconds. Otherwise we might run into race conditions with actor system # sockets that are still open.