[Replicated] release-23.1: settings: redact all string settings for diagnostics #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, the redaction logic for `Sensitive` settings in the diagnotics payload was conditional on the value of the `"server.redact_sensitive_settings.enabled"` cluster setting. This commit modifies the behavior of `RedactedValue` used to render modified cluster settings by the `diagnostics` package to always fully redact the values of string settings and any sensitive or non- reportable settings. Because the `MaskedSetting` struct is now in use by code in the `SHOW CLUSTER SETTING` code path, we no longer rely on it for redaction behavior of string settings. Note: This is a backport of a PR from `master` and this branch does not contain the concept of `sensitive` settings so only `non- reportable` ones are included. Resolves: CRDB-43457 Epic: None Release note (security update): all cluster settings that accept strings are now fully redacted when transmitted as part of our diagnostics telemetry. This payload includes a record of modified cluster settings and their values when they are not strings. Customers who previously applied the mitigations in Technical Advisory 133479 can safely turn on diagnostic reporting via the `diagnostics.reporting.enabled` cluster setting without leaking sensitive cluster settings values.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replicated from original PR cockroachdb#134063
Original author: dhartunian
Original creation date: 2024-11-01T14:19:43Z
Original reviewers: kyle-a-wong
Original description:
Backport 1/1 commits from cockroachdb#133754.
/cc @cockroachdb/release
Previously, the redaction logic for
Sensitivesettings in the diagnotics payload was conditional on the value of the"server.redact_sensitive_settings.enabled"cluster setting.This commit modifies the behavior of
RedactedValueused to render modified cluster settings by thediagnosticspackage to always fully redact the values of string settings and any sensitive or non- reportable settings.Because the
MaskedSettingstruct is now in use by code in theSHOW CLUSTER SETTINGcode path, we no longer rely on it for redaction behavior of string settings.Resolves: CRDB-43457
Epic: None
Release note (security update): all cluster settings that accept strings are now fully redacted when transmitted as part of our diagnostics telemetry. This payload includes a record of modified cluster settings and their values when they are not strings. Customers who previously applied the mitigations in Technical Advisory 133479 can safely set the value of cluster setting
server.redact_sensitive_settings.enabledto false and turn on diagnostic reporting via thediagnostics.reporting.enabledcluster setting without leaking sensitive cluster settings values.Note: "sensitive" settings were introduced in 23.2 so this backport will affect non-reportable and string settings for 23.1
Release justification: removing sensitive data from diagnostics output.