Fix: Do not redact password for conn pool connection uri while connecting to DB #2203
Conversation
priyanshi-yb
force-pushed
the
priyanshi/fix-conn-pool-pass
branch
from
c4b1b2b to
2f05de5
Compare
priyanshi-yb
force-pushed
the
priyanshi/fix-conn-pool-pass
branch
from
2f05de5 to
a83acb2
Compare
priyanshi-yb
requested review from
makalaaneesh and
sanyamsinghal
and removed request for
makalaaneesh
yb-voyager/src/tgtdb/yugabytedb.go
Outdated
| @@ -243,8 +243,12 @@ func (yb *TargetYugabyteDB) InitConnPool() error { | |||
| SessionInitScript: getYBSessionInitScript(yb.tconf), | |||
| } | |||
| yb.connPool = NewConnectionPool(params) | |||
| redactedParams := params | |||
| redactedParams.ConnUriList = utils.GetRedactedURLs(redactedParams.ConnUriList) | |||
| redactedParams := ConnectionParams{ | |||
There was a problem hiding this comment.
We're logging the full struct below, so this will mean we'll have to come back to keep updating this copy here whenever we add a new field.
Let's go with redactedParams := *params ?
| @@ -85,7 +85,7 @@ jobs: | |||
| docker run -d --name yugabytedb \ | |||
| -p7000:7000 -p9000:9000 -p15433:15433 -p5433:5433 -p9042:9042 \ | |||
| yugabytedb/yugabyte:${{ matrix.version }} \ | |||
| bin/yugabyted start --background=false --ui=false | |||
| bin/yugabyted start --tserver_flags="ysql_hba_conf_csv={host all yugabyte all trust,host all all all md5}" --background=false --ui=false | |||
There was a problem hiding this comment.
Shall we just have host all all all md5 ? Just want to avoid "trust" altogether 😅
There was a problem hiding this comment.
yeah I started with that only, but somehow yugabyted wasn't coming up with that conf as yugabyte is a default user maybe trust is required for that, I can take that up later after figuring out how to do that
This reverts commit b54c79a.
| @@ -37,6 +37,7 @@ import ( | |||
| _ "github.com/jackc/pgx/v5/stdlib" | |||
| "github.com/samber/lo" | |||
| log "github.com/sirupsen/logrus" | |||
| "github.com/tiendc/go-deepcopy" | |||
There was a problem hiding this comment.
Just as a general discussion, not suggesting you change it:
I'm guessing you picked this because it seems to be the fastest. In our case, though, we don't really care so much about speed (because we call it like once and log it). In such cases, it makes more sense to prioritize dependencies that are popular/ well maintained.
There was a problem hiding this comment.
Not just fast, I also looked at activity on the repo and only this one seems quite active (last month), rest had last commit years ago
There was a problem hiding this comment.
Plus to @makalaaneesh point. Popular ones can be safer.
Maybe if there is one with a lot of stars and some recent activities.
There was a problem hiding this comment.
@priyanshi-yb @makalaaneesh lets fix a specific version of the library? v1/v2 whatever it is..
"github.com/tiendc/go-deepcopy/vX"
yb-voyager/src/tgtdb/yugabytedb.go
Outdated
| redactedParams := params | ||
| redactedParams := &ConnectionParams{} | ||
| //Whenever adding new fields to CONNECTION PARAMS check if that needs to be redacted while logging | ||
| deepcopy.Copy(redactedParams, params) |
There was a problem hiding this comment.
handle the error if its returning..
priyanshi-yb
force-pushed
the
priyanshi/fix-conn-pool-pass
branch
from
b04d148 to
979c379
Compare
…ting to DB (#2203) Fixing the bug where import data always fails to connect to DB via the connection pool with password authentication as the connection URLs are redacted while passing to the connection pool. Deep copying the connection params for redacting while logging using the package - https://github.com/tiendc/go-deepcopy.
…ting to DB (#2203) (#2208) Fixing the bug where import data always fails to connect to DB via the connection pool with password authentication as the connection URLs are redacted while passing to the connection pool. Deep copying the connection params for redacting while logging using the package - https://github.com/tiendc/go-deepcopy.
Describe the changes in this pull request
Fixing the bug where import data always fails to connect to DB via the connection pool with a password authentication as the connection URLs are getting redacted while passing to the connection pool.
#2204
redaction still happens-
Deep copying the connection params for redacting while logging using the package - https://github.com/tiendc/go-deepcopy because of following reasons-
Describe if there are any user-facing changes
Its a fix, no user-facing changes
How was this pull request tested?
automation tests are enough
Does your PR have changes that can cause upgrade issues?