Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove or Redact the user and password from the url.full opentelemetry field. #8437

Open
zitzerd opened this issue Dec 25, 2024 · 3 comments
Open

Remove or Redact the user and password from the url.full opentelemetry field. #8437

zitzerd opened this issue Dec 25, 2024 · 3 comments
Labels
8.x Relates to 8.x client version Category: Feature State: Awaiting Response

Comments

@zitzerd
Copy link

zitzerd commented Dec 25, 2024

When testing Elasticsearch cliente 8.15.x with aspire, i notice that the trace includes the username and password of the connection when using basic auth,

Is it possible to redact or remove the user password? or as a workaround remove the field, till its redacted.

Thanks
@flobernd flobernd added the 8.x Relates to 8.x client version label Jan 17, 2025
@flobernd
Copy link
Member

flobernd commented Jan 17, 2025
edited
Loading

Hi @zitzerd , sorry for the late reply.

May I ask how you specify the basic-auth username/password?

var settings = new ElasticsearchClientSettings(new Uri("https://..."))
    .Authentication(new BasicAuthentication("elastic", "my_password"))

creates a HTTP Basic-Auth header which should never end up in the url.

If you explicitly use https://user:pass@my_host it will of course be part of the url and be logged in all relevant places.

@zitzerd
Copy link
Author

zitzerd commented Jan 17, 2025
edited
Loading

Hi @flobernd, thanks for the reply!

Im using the aspire integration and specifying a password on the host side.

They are actually sending the u/p in the url as a connectionstring env var, after your mail i debugged the integration and they are passing the full url in the method CreateElasticSearchClientSettings that use a ElasticSearchClientSettings default constructor.

Ill talk with them, and in the mean time ill send my own ElasticSearchClientSettings on the client side. and see if the aspire team so they can improve the client integration.

private static ElasticsearchClientSettings CreateElasticsearchClientSettings(
    ElasticClientsElasticsearchSettings settings,
    string connectionName,
    string configurationSectionName)
{
    if (settings.Endpoint is not null)
    {
        return new ElasticsearchClientSettings(settings.Endpoint); 
    }
    else if (settings.CloudId is not null && settings.ApiKey is not null)
    {
        return new(settings.CloudId, new ApiKey(settings.ApiKey));
    }

    throw new InvalidOperationException(
                  $"A ElasticsearchClient could not be configured. Ensure valid connection information was provided in 'ConnectionStrings:{connectionName}' or either " +
                  $"{nameof(settings.Endpoint)} must be provided " +
                  $"in the '{configurationSectionName}' configuration section.");
}

@flobernd
Copy link
Member

Thanks for checking! This indeed looks like something that should be fixed in the Elasticsearch Aspire package 🙂

Please let me know, if there is anything else I can do; otherwise I'm going to close this issue for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.x Relates to 8.x client version Category: Feature State: Awaiting Response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zitzerd @flobernd