Mask some information in logs by vitlibar · Pull Request #42484 · ClickHouse/ClickHouse

vitlibar · 2022-10-19T11:38:46Z

Changelog category:

Improvement

Changelog entry:

Mask passwords and secret keys both in system.query_log and /var/log/clickhouse-server/*.log and also in error messages.

For example,

CREATE TABLE table2 (`x` int) ENGINE = MongoDB('mongo1:27017', 'db', 'col', 'mongo_user', 'mongo_password')

will be written in logs from now on as

CREATE TABLE table2 (`x` int) ENGINE = MongoDB('mongo1:27017', 'db', 'col', 'mongo_user', '[HIDDEN]')

programs/server/config.xml

src/Interpreters/wipePasswordFromQuery.cpp

src/Parsers/Access/ASTCreateRowPolicyQuery.cpp

src/Interpreters/maskSensitiveInfoInQueryForLogging.cpp

src/Interpreters/maskSensitiveInfoInQueryForLogging.h

src/Interpreters/maskSensitiveInfoInQueryForLogging.cpp

tests/integration/test_mask_sensitive_info_in_logs/test.py

SmitaRKulkarni

Rest all LGTM

…nfig (now it's always masked).

…itors).

nikitamikhaylov · 2022-11-01T00:01:25Z

What about queries for creating dictionaries? Will they also be masked?

CREATE DICTIONARY test_dictionary
(
    `id` UInt64,
    `value` String
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'test_table' PASSWORD 'password'))
LAYOUT(DIRECT())

vitlibar · 2022-11-01T08:41:23Z

What about queries for creating dictionaries? Will they also be masked?

CREATE DICTIONARY test_dictionary
(
    `id` UInt64,
    `value` String
)
PRIMARY KEY id
SOURCE(CLICKHOUSE(TABLE 'test_table' PASSWORD 'password'))
LAYOUT(DIRECT())

yes

alexey-milovidov · 2022-11-02T21:27:38Z

Not for changelog

Why not? We can even highlight this change on the release webinar.

vitlibar changed the title ~~Mask sensitive info in logs~~ Mask some information in logs Oct 19, 2022

robot-ch-test-poll2 added the pr-not-for-changelog This PR should not be mentioned in the changelog label Oct 19, 2022

vitlibar force-pushed the mask-sensitive-info-in-logs branch 5 times, most recently from 1f23a68 to ff5de4e Compare October 20, 2022 17:03

SmitaRKulkarni self-assigned this Oct 21, 2022

SmitaRKulkarni reviewed Oct 24, 2022

View reviewed changes

programs/server/config.xml Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 24, 2022

View reviewed changes

src/Interpreters/wipePasswordFromQuery.cpp Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 24, 2022

View reviewed changes

src/Interpreters/wipePasswordFromQuery.cpp Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 24, 2022

View reviewed changes

src/Parsers/Access/ASTCreateRowPolicyQuery.cpp Outdated Show resolved Hide resolved

vitlibar force-pushed the mask-sensitive-info-in-logs branch 4 times, most recently from adc2de6 to b2076d1 Compare October 25, 2022 06:16

SmitaRKulkarni reviewed Oct 25, 2022

View reviewed changes

src/Interpreters/maskSensitiveInfoInQueryForLogging.cpp Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 25, 2022

View reviewed changes

src/Interpreters/maskSensitiveInfoInQueryForLogging.cpp Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 25, 2022

View reviewed changes

src/Interpreters/maskSensitiveInfoInQueryForLogging.h Outdated Show resolved Hide resolved

vitlibar force-pushed the mask-sensitive-info-in-logs branch 2 times, most recently from 8e44ac6 to 5e87f1d Compare October 26, 2022 12:01

SmitaRKulkarni reviewed Oct 27, 2022

View reviewed changes

src/Interpreters/maskSensitiveInfoInQueryForLogging.cpp Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 27, 2022

View reviewed changes

tests/integration/test_mask_sensitive_info_in_logs/test.py Outdated Show resolved Hide resolved

SmitaRKulkarni reviewed Oct 27, 2022

View reviewed changes

vitlibar force-pushed the mask-sensitive-info-in-logs branch from 25cb5ba to cc2505d Compare October 28, 2022 06:45

SmitaRKulkarni approved these changes Oct 28, 2022

View reviewed changes

vitlibar added 4 commits October 31, 2022 10:50

Mask sensitive information in logs.

5d2a222

Remove query_masking_rules for encrypt() function from the default co…

842e400

…nfig (now it's always masked).

Make as_table_function a child of ASTCreateQuery (to help writing vis…

c2cc2cc

…itors).

Fix IAST::clone() overrides for some queries.

f2bd560

vitlibar added 8 commits October 31, 2022 10:50

Move prepareQueryForLogging() to a separate header.

dcf8724

Wipe passwords from backup logs too.

a30bfad

Wipe passwords from distributed queries too.

43efbad

Use assert_cast() instead of as() in some places.

854e1e9

Add comments.

c07fe69

Improve tests.

aa5cfd6

Improve test test_on_cluster.

901ae12

Avoid changing query if it doesn't contain password.

d1c69a0

vitlibar force-pushed the mask-sensitive-info-in-logs branch from cc2505d to d1c69a0 Compare October 31, 2022 16:08

vitlibar added 2 commits November 1, 2022 11:10

Fix tests.

73f5664

Spare stack in InDepthNodeVisitor.

085fb80

vitlibar force-pushed the mask-sensitive-info-in-logs branch from 3719447 to 085fb80 Compare November 1, 2022 16:20

Merge branch 'master' into mask-sensitive-info-in-logs

e013368

vitlibar merged commit 52b1f4a into ClickHouse:master Nov 4, 2022

vitlibar deleted the mask-sensitive-info-in-logs branch November 4, 2022 13:09

vitlibar mentioned this pull request Nov 7, 2022

Add SensitiveDataMasker to exceptions messages #42940

Merged

vitlibar mentioned this pull request Nov 14, 2022

Improve masking sensitive info #43227

Merged

Ryado mentioned this pull request Apr 19, 2023

system.query_log logs S3 Table Credentials #48901

Closed

nikitamikhaylov mentioned this pull request Jan 23, 2024

Not hidden credentials in storage Iceberg #59118

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mask some information in logs#42484

Mask some information in logs#42484
vitlibar merged 15 commits intoClickHouse:masterfrom
vitlibar:mask-sensitive-info-in-logs

vitlibar commented Oct 19, 2022 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

SmitaRKulkarni left a comment

Uh oh!

nikitamikhaylov commented Nov 1, 2022 •

edited

Loading

Uh oh!

vitlibar commented Nov 1, 2022 •

edited

Loading

Uh oh!

alexey-milovidov commented Nov 2, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

vitlibar commented Oct 19, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changelog category:

Changelog entry:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

SmitaRKulkarni left a comment

Choose a reason for hiding this comment

Uh oh!

nikitamikhaylov commented Nov 1, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vitlibar commented Nov 1, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

alexey-milovidov commented Nov 2, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

vitlibar commented Oct 19, 2022 •

edited

Loading

nikitamikhaylov commented Nov 1, 2022 •

edited

Loading

vitlibar commented Nov 1, 2022 •

edited

Loading