cassandra-medusa icon indicating copy to clipboard operation
cassandra-medusa copied to clipboard

Published 20 hours ago verified publisher icon thelastpickle

nodetool password displayed in logs when in debug mode

Open giom-l opened this issue 3 years ago • 2 comments

Project board link

Detected version : 0.10.0

Nodetool user and password are stored in Nodetool class instance.

When a nodetool command is run (like here) and medusa is in debug mode, all nodetool parameters are logged, including the password.

IMO, a password should never be logged anywhere, no matter what is the log level.

┆Issue is synchronized with this Jira Story by Unito

giom-l avatar May 18 '21 15:05 giom-l

Agreed, and good catch 👍

adejanovski avatar May 19 '21 07:05 adejanovski

I see two options:

  1. Generate safe command lines with sensitive data stripped out prior to log them
  2. Use a specific logger Formatter that uses a regex to replace sensitive data with a hardcoded string e.g. ***

Option 2 can be extended to include other secrets -- not only nodetool password.

rhardouin avatar May 24 '21 13:05 rhardouin