NATS Server can log secret information on permissions violations #6666
Comments
|
I agree with auth callout some of our previous assumptions about tokens probably need a revisit, what do you think @aricart |
|
@garrett-sutton you implemented your own call-out? On the library I have been developing the documentation suggests that the call-out operation simply log some appropriate message and simply drop the request. If you don't return an error from the call-out, does the server still log the client connect info? |
|
https://github.com/synadia-io/callout.go Is the library. |
|
Sorry just read the portion that the issue is after the client connects. Definitely it shouldn't be logging the connect options. |
Yeah. This is what we are seeing. It's after the client has successfully connected. Some time later they try to take an action they aren't permitted to do and the nats server logs the connect option. |
wallyqs
changed the title
Observed behavior
When a NATS client has successfully connected to the NATS server and is granted certain permissions, if they attempt to take actions that are outside the scope of their permissions, they will get something like a "Permission Violation" error. At the same time, the NATS server will log this permissions violation and includes the "auth user" that encountered a permissions violation. The auth user can include secret information depending on how the client originally connected.
Based on my understanding of the potential things that can be logged, the Nkey option, Username option, and JWT option likely shouldn't have secret information. The Nkey that a client presents as part of its request to connect (I think) is the public half of the Nkey pair. It also looks like the JWT option explicitly calls out putting
pubKeyin the output.Things get dicey with the Token user though. In my use case, I am using auth callouts and the auth callout service only cares about the information stuffed into the Token option. NATS clients in my environment put their credentials into the Token option. If one of those clients commits a permissions violation, their entire Token (which includes their credentials) are logged by the NATS server.
Expected behavior
Expect secret information is not logged by the NATS server.
We are working around this by now having our clients also specify a username (that is unused by our auth callout service) because that is higher in the switch statement that determines what gets logged. But this is brittle. Any changes to the switch statement inside of the
getAuthUsermethod could land us back at where we were originally.Server and client version
2.10.18v1.37.0v2.5.10Host environment
No response
Steps to reproduce
The text was updated successfully, but these errors were encountered: