Skip to content
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.

[v2.24.0] 'forseti_db' should get from the yaml file and not from the flags #3477

Open
unrealmind opened this issue Nov 21, 2019 · 4 comments
Open

[v2.24.0] 'forseti_db' should get from the yaml file and not from the flags #3477

unrealmind opened this issue Nov 21, 2019 · 4 comments
Assignees
@blueandgold
Labels
1 - Planning Issues being considered for the next 3 releases module: infrastructure priority: p3 Desirable enhancement or minor bug fix triaged: yes

Comments

@unrealmind
Copy link

This is because when I run ps -ef | grep forseti in the server, it is displaying the plain text of forseti_db's credential.

Forseti Version:

git checkout tags/v2.24.0

Example:
Started Forseti service in background:

nohup forseti_server \
   --endpoint "localhost:50051" \
   --forseti_db "mysql+pymysql://root:forseti_user:<PASSWORD>@x.x.x.x.x:3306/forseti_security" \
   --services scanner model inventory explain notifier \
   --config_file_path "/xx/xx/forseti-security/configs/server/forseti_conf_server.yaml" \
   --log_level=debug \
   --enable_console_log &

ps -ef | grep forseti

Output:

/usr/bin/python3 /usr/local/bin/forseti_server --endpoint localhost:50051 --forseti_db mysql+pymysql://forseti_user:@x.x.x.x:3306/forseti_security --service

Tried to echo'd the $CONFIG_FLAGS the file and exported it but no avail.

export CONFIG_FLAGS="--endpoint localhost:50051 --forseti_db mysql+pymysql://forseti_user:@x.x.x.x:3306/forseti_security --services scanner model inventory explain notifier --config_file_path /xx/xx/forseti-security/configs/server/forseti_conf_server.yaml --log_level=debug --enable_console_log"

Appreciate if someone could advise on this.
Thank you.
@auto-comment
Copy link

auto-comment bot commented Nov 21, 2019

Thank you for opening an issue. Our team's interrupts engineer will review your issue shortly.

Issue Resolution:

  • [Interrupts Engineer] Triage / apply categorization labels
  • [Interrupts Engineer] Verify / Reproduce the reported issue
  • [Forseti Engineer] Perform root cause analysis
  • Forseti Engineer] Add tasks and next steps to resolve this issue.

@red2k18 red2k18 added Interrupts: Follow-up Needed Issues to triage or need followup by engineering assigned to interrupts. triaged: yes labels Nov 25, 2019
@gkowalski-google
Copy link
Collaborator

Hi @unrealmind, sorry for the delay. I'm sorry, can you help provide some more info on what the issue is? Is the problem that anybody with access to the VM can see the password in plaintext from the command line?

@joecheuk joecheuk assigned hshin-g and unassigned joecheuk Jan 7, 2020
@hshin-g hshin-g assigned blueandgold and unassigned hshin-g Jan 21, 2020
@unrealmind
Copy link
Author

Hello @gkowalski-google

Sorry for the late response. Yes. Anyone who have access into the VM can see the password in plaintext.

Just run ps -ef | grep forseti and you can see it.

@blueandgold blueandgold added 0 - Backlog Issue to be considered at some point in the future 1 - Planning Issues being considered for the next 3 releases module: infrastructure priority: p3 Desirable enhancement or minor bug fix and removed Interrupts: Follow-up Needed Issues to triage or need followup by engineering assigned to interrupts. 0 - Backlog Issue to be considered at some point in the future labels Jan 27, 2020
@blueandgold
Copy link
Contributor

I will add this to our sprint planning.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@blueandgold blueandgold

Labels
1 - Planning Issues being considered for the next 3 releases module: infrastructure priority: p3 Desirable enhancement or minor bug fix triaged: yes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@joecheuk @blueandgold @gkowalski-google @unrealmind @red2k18 @hshin-g