User sensitive info is not protected properly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mistral |
Confirmed
|
High
|
Unassigned |
Bug Description
Now:
If user passes security sensitive information to a workflow it won't be protected properly: it wil may appear in Mistral logs, it won't be encoded before transferred over the network etc.
The goal:
We need a mechanism that allows to protect sensitive user data used by workflows.
Solution ideas:
* Client doesn't need to encode sensitive data before sending it to a server. It can use HTTPS.
* Create the special section "secret" in the workflow language to let Mistral know that this date must be protected
* Create a special data type, for example class "Secret", with string representation "******" so that if something is wrapped into it we'll never see it in logs in its initial form. All variables marked in "secret" should be internally wrapped by instance of "Secret".
* Store Secret instances in encoded form in DB, decode them when fetched from DB
Syntax ideas:
--------- Section "secret" under workflow ---------
[renat: Everybody liked this idea at the PTG]
version: "2.0"
wf:
input:
- username
secret:
- keyA
tasks:
taskA:
action: my_action
publish:
keyA: <% task(taskA)
on-success:
- taskB
taskB:
action: my_action2
input:
arg1: <% $.keyA %>
--------- Encrypt only part of the structure ---------
[michal: we need to encrypt only keyA, and not the whole headers section]
version: "2.0"
wf:
input:
- username
secret:
- keyA
tasks:
taskA:
action: std.http
input:
url: some.url
headers:
accept: text
--------- Wrapping sensitive data using a function ---------
tasks:
taskA:
action: my_action username=<% ... %> password=<% secret(...) %>
--------- Using decorator to protect from logging etc. ---------
# In this example, the argument "password" will never be logged by Mistral
# in its initial form.
from mistral_lib.secret import secret
@secret(
class MyAction(Action):
def init(self, password):
# do something
Changed in mistral: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in mistral: | |
importance: | Critical → High |
Changed in mistral: | |
milestone: | none → 0.2 |
Changed in mistral: | |
milestone: | 0.2 → 0.1.1 |
Changed in mistral: | |
milestone: | 0.1.1 → 0.2 |
Changed in mistral: | |
assignee: | nobody → Sirisha Devineni (sirisha-devineni) |
Changed in mistral: | |
milestone: | kilo-1 → kilo-2 |
Changed in mistral: | |
milestone: | kilo-2 → kilo-3 |
no longer affects: | mistral/kilo |
summary: |
- Security issue: passwords are not hidden in logs + Security issue: user secure info is not protected properly (logs, API, + DB) |
no longer affects: | mistral/liberty |
Changed in mistral: | |
importance: | Critical → Undecided |
milestone: | liberty-rc1 → none |
assignee: | Lingxian Kong (kong) → nobody |
no longer affects: | mistral/mitaka |
description: | updated |
summary: |
- Security issue: user secure info is not protected properly (logs, API, - DB) + User sensitive info is not protected properly |
description: | updated |
description: | updated |
Changed in mistral: | |
milestone: | pike-1 → pike-2 |
Changed in mistral: | |
assignee: | nobody → Brad P. Crochet (brad-9) |
Changed in mistral: | |
milestone: | pike-2 → pike-3 |
Changed in mistral: | |
milestone: | pike-3 → queens-1 |
Changed in mistral: | |
assignee: | Brad P. Crochet (brad-9) → nobody |
Changed in mistral: | |
milestone: | queens-1 → queens-3 |
Changed in mistral: | |
milestone: | queens-3 → rocky-2 |
Changed in mistral: | |
milestone: | rocky-2 → none |
Passwords or any other security information that can be imported in context via CLI are showing in mistral log and mistral dashboard too.