Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bearer Token ID Displayed In Logs #3174

Closed
mhobotpplnet opened this issue Jul 26, 2018 · 3 comments
Closed

Bearer Token ID Displayed In Logs #3174

mhobotpplnet opened this issue Jul 26, 2018 · 3 comments
Assignees
@jeefy

Comments

@mhobotpplnet
Copy link

Environment
Dashboard version:v1.8.3
Kubernetes version:1.10
Steps to reproduce

Login to kubernetes dashboard with bearer token id, checkout the pod logs for k8 dashboard.

Observed result

Logs show full token ID

kubernetes-dashboard-somenumber kubernetes-dashboard 2018/07/26 12:39:10 [2018-07-26T12:39:10Z] Incoming HTTP/2.0 POST /api/v1/login request from 100.111.312.444:3587: {
kubernetes-dashboard-somenumber kubernetes-dashboard   "kubeConfig": "",
kubernetes-dashboard-somenumber kubernetes-dashboard   "password": "",
kubernetes-dashboard-somenumber kubernetes-dashboard   "token": "5122-taken-away-full-token"
Expected result

Did not expect token to be logged, and if it is , it should be detached.

Comments

If someone had access to k8 dashboard, they could take higher privileges by just parsing out the token ID and loggin with my username.
I guess one way is to disable logging but that is not suitable when trying to troubleshoot authentications etc.
@jimangel
Copy link
Member

duplicate of #3012

@jeefy
Copy link
Member

jeefy commented Jul 26, 2018

/assign

@jeefy
Copy link
Member

jeefy commented Jul 26, 2018

/close

Closing in favor of #3012

But, never fear. I'm diving into this today.

@jeefy jeefy mentioned this issue Jul 27, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeefy jeefy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeefy @jimangel @k8s-ci-robot @mhobotpplnet