Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filter sensitive values from being logged in ProcessProxy #1279

Merged
merged 27 commits into from
Mar 14, 2023
Merged

Filter sensitive values from being logged in ProcessProxy #1279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
449b25f
Update gateway_client.py
starskyreverie Feb 23, 2023
bdffd13
Update gateway_client.py
starskyreverie Feb 23, 2023
e32f624
Fix linting :)
starskyreverie Feb 23, 2023
c6ddd69
remove trailing whitespace
starskyreverie Feb 23, 2023
7e9a55e
Update gateway_client.py
starskyreverie Feb 23, 2023
9ce015c
Update gateway_client.py
starskyreverie Feb 23, 2023
b181302
Fix execute calls everywhere
starskyreverie Feb 23, 2023
a35da15
fixes
starskyreverie Feb 23, 2023
2a90a0b
fix tests
starskyreverie Feb 23, 2023
88259c2
fix test
starskyreverie Feb 23, 2023
d3d9a6d
Fix log
starskyreverie Feb 23, 2023
3dec739
Remove 'is defined' from jinja templates
starskyreverie Mar 3, 2023
9776d5f
Remove remaining 'is defined's
starskyreverie Mar 3, 2023
e50d352
Add back to numeric variables in Jinja templates
starskyreverie Mar 3, 2023
013879f
Add back to kernel uid/gid
starskyreverie Mar 3, 2023
33e59a4
woops
starskyreverie Mar 3, 2023
c6553d8
few fixes
starskyreverie Mar 3, 2023
de7ff4d
Merge branch 'jupyter-oss:main' into main
starskyreverie Mar 14, 2023
94ce1d4
Filter sensitive values from being logged in processproxy
starskyreverie Mar 14, 2023
a0dd2ca
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2023
1d73385
Copy dict
starskyreverie Mar 14, 2023
f2cce39
Merge branch 'main' of https://github.com/pq43/enterprise_gateway
starskyreverie Mar 14, 2023
3800f31
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 14, 2023
e047e1d
test fixes
starskyreverie Mar 14, 2023
9ef7ccc
Merge branch 'main' of https://github.com/pq43/enterprise_gateway
starskyreverie Mar 14, 2023
14189b9
change from kwarg to env variable
starskyreverie Mar 14, 2023
cfd2b65
Add logs, lower
starskyreverie Mar 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions docs/source/operators/config-add-env.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,15 @@ Besides those environment variables associated with configurable options, the fo
startup attempt will take place. If a second timeout occurs, Enterprise
Gateway will report a failure to the client.

EG_SENSITIVE_ENV_KEYS=""
A comma separated list (e.g. "secret,pwd,auth") of sensitive environment
variables. Any environment variables that contain any of the words from this
list will have their values as EG_REDACTION_MASK whenever logged.

EG_REDACTION_MASK=********
The redaction mask used if EG_SENSITIVE_ENV_KEYS is set. Sensitive environment
variables will be logged as this redaction mask instead.

EG_KERNEL_LOG_DIR=/tmp
The directory used during remote kernel launches of DistributedProcessProxy
kernels. Files in this directory will be of the form kernel-<kernel_id>.log.
Expand Down
14 changes: 13 additions & 1 deletion enterprise_gateway/services/processproxies/processproxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@
# Pop certain env variables that don't need to be logged, e.g. remote_pwd
env_pop_list = ["EG_REMOTE_PWD", "LS_COLORS"]

# Comma separated list of env variables that shouldn't be logged
sensitive_env_keys = os.getenv("EG_SENSITIVE_ENV_KEYS", "").lower().split(",")
redaction_mask = os.getenv("EG_REDACTION_MASK", "********")

default_kernel_launch_timeout = float(os.getenv("EG_KERNEL_LAUNCH_TIMEOUT", "30"))
max_poll_attempts = int(os.getenv("EG_MAX_POLL_ATTEMPTS", "10"))
poll_interval = float(os.getenv("EG_POLL_INTERVAL", "0.5"))
Expand Down Expand Up @@ -518,7 +522,15 @@ async def launch_process(self, kernel_cmd: str, **kwargs: dict[str, Any] | None)

self._enforce_authorization(**kwargs)

self.log.debug("BaseProcessProxy.launch_process() env: {}".format(kwargs.get("env")))
# Filter sensitive values from being logged
env_copy = kwargs.get("env").copy()

if sensitive_env_keys:
for key in list(env_copy):
if any(phrase in key.lower() for phrase in sensitive_env_keys):
env_copy[key] = redaction_mask

self.log.debug(f"BaseProcessProxy.launch_process() env: {env_copy}")

def launch_kernel(
self, cmd: list[str], **kwargs: dict[str, Any] | None
Expand Down