Mask all secret parameters in worker section, fix #1553 #1580
+76
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Secrete parameters are masked when configuring the plugin instances, but fluentd worker processes don't create and configure the instances of plugins under worker sections for other workers. And config dump is performed on a worker process (worker0). So the secret parameters under worker section are not masked except for worker0. This patch makes supervisor process create and configure instances of plugins for all workers before spawning worker processes and config_dump performed on supervisor process. This method is the same with dry_run.
|
The config.dump API don't mask secret parameters regardless of worker section. I'll fix that after this PR is merged. |
repeatedly
reviewed
May 23, 2017
lib/fluent/supervisor.rb
Outdated
| run_configure | ||
| Fluent::Engine.dry_run_mode = false | ||
| rescue Fluent::ConfigError => e | ||
| $log.error "config error", file: @config_path, error: e |
There was a problem hiding this comment.
should re-raise an error?
It seems --dry-run returns 0 exit status even if configuration error happen.
There was a problem hiding this comment.
Right. Then, exit!(1) is better to keep consistency with current behaviour?
There was a problem hiding this comment.
Yes because exit value is used for error detection.
lib/fluent/supervisor.rb
Outdated
| change_privilege | ||
| init_engine | ||
| run_configure | ||
| Fluent::Engine.dry_run_mode = false |
There was a problem hiding this comment.
To safety, should be in ensure?
|
Updated. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Secrete parameters are masked when configuring the plugin instances, but fluentd worker processes don't create and configure the instances of plugins under worker sections for other workers. And config dump is performed on a worker process(worker0). So the secret parameters under worker section are not masked except for worker0.
This patch makes supervisor process create and configure instances of plugins for all workers before spawning worker processes and config_dump performed on supervisor process. This method is the same with dry_run.