[prev in list] [next in list] [prev in thread] [next in thread]
List: slf4j-user
Subject: Re: [slf4j-user] Hide "sensitive" data
From: "USHAKOV, Sergey" <s-n-ushakov () yandex ! ru>
Date: 2015-04-18 6:37:33
Message-ID: 5531FBAD.7000708 () yandex ! ru
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Norbert,
and I agree that hiding sensitive data is important for certain
applications.
You have already mentioned that there are in fact two distinct cases:
1) when sensitive data is represented by a String;
2) when sensitive data is represented by an Object.
My feeling is that the second case is simpler and can be treated
reasonably right away. In that case an approach is available with an
application-specific MessageFormatter subclass. That subclass might be
made aware of all the types that need sensitive data protection and use
a sort of map of protection-aware formatting methods against data types.
The first case is more tricky, and I'm afraid thet we either have to
sacrifice efficiency and use sensitive(password), or ask Ceki to
consider some message pattern syntax extension... Maybe it's the time to
ask Ceki to join... ;)
Regards,
Sergey
On 18.04.15 04:15, Norbert Kiesel wrote:
>
> Hi,
>
>
> one of the common requirements for my team is to "hide" sensitive
> information in production logs, with a varying definition of
> sensitive. One idea for this we had was to introduce another pattern
> in the format strings, and a global flag that handles that pattern
> differently.
>
>
> Concrete example: `logger.info("user {} has password {}", user,
> password);` is ok for debug, but not for production. So instead we
> would use `logger.info("user {} has password $$", user, password);`,
> and based on some parameter this would be rendered as "user nkiesel
> has password secret" or "user nkiesel has password *hidden*".
>
>
> This looks better than `logger.info("user {} has password {}, user,
> sensitive(password)";` and could also be slightly more efficient
> (because is would avoid invoking `sensitive` if threshold is higher
> than info). However, this approach fails when the parameter is a Java
> object and only part of the `toString()` is sensitive. One idea to
> solve this would be to support a `SensitiveRenderer` interface with a
> "toString(boolean sensitve) method. Then Java objects with sensitive
> data could override that.
>
>
> Anyone out there who has an advice? We have a rough implementation
> (with a `static public MessageFormatter.setSensitive(boolean arg);` to
> toggle the behavior) that passes the existing test cases (actually
> fails the perf tests right now because we used a Matcher.find based
> implementation that is 5 times slower), which we of course would be
> happy to share if anyone is interested.
>
>
>
> </nk>
>
> ---
>
>
> Norbert Kiesel
> Systems Architect | Engineering
> MetricStream
> 2600 E. Bayshore Road | Palo Alto, CA - 94303
> +1-650-620-2954 | nkiesel@metricstream.com | www.metricstream.com
>
> *_Confidentiality Notice:_*This email and any files transmitted with
> it are confidential and intended solely for the use of the individual
> or entity to whom they are addressed. This message contains
> confidential information and is intended only for the individual
> named. If you are not the named addressee you should not disseminate,
> distribute or copy this e-mail. Please notify the sender immediately
> by e-mail if you have received this e-mail by mistake and delete this
> e-mail from your system. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action
> in reliance on the contents of this information is strictly prohibited
>
>
>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user@qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-user
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Norbert,<br>
<br>
and I agree that hiding sensitive data is important for certain
applications.<br>
<br>
You have already mentioned that there are in fact two distinct
cases:<br>
1) when sensitive data is represented by a String;<br>
2) when sensitive data is represented by an Object.<br>
<br>
My feeling is that the second case is simpler and can be treated
reasonably right away. In that case an approach is available with
an application-specific MessageFormatter subclass. That subclass
might be made aware of all the types that need sensitive data
protection and use a sort of map of protection-aware formatting
methods against data types.<br>
<br>
The first case is more tricky, and I'm afraid thet we either have
to sacrifice efficiency and use sensitive(password), or ask Ceki
to consider some message pattern syntax extension... Maybe it's
the time to ask Ceki to join... ;)<br>
<br>
Regards,<br>
Sergey<br>
<br>
<br>
On 18.04.15 04:15, Norbert Kiesel wrote:<br>
</div>
<blockquote cite="mid:1429319733097.86023@MetricStream.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P \
{margin-top:0;margin-bottom:0;} --></style> <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Tahoma,
Geneva, sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>one of the common requirements for my team is to "hide"
sensitive information in production logs, with a varying
definition of sensitive. One idea for this we had was to
introduce another pattern in the format strings, and a global
flag that handles that pattern differently.</p>
<p><br>
</p>
<p>Concrete example: `logger.info("user {} has password {}",
user, password);` is ok for debug, but not for production. So
instead we would use `logger.info("user {} has password $$",
user, password);`, and based on some parameter this would be
rendered as "user nkiesel has password secret" or "user
nkiesel has password *hidden*".</p>
<p><br>
</p>
<p>This looks better than `logger.info("user {} has password {},
user, sensitive(password)";` and could also be slightly more
efficient (because is would avoid invoking `sensitive` if
threshold is higher than info). However, this approach fails
when the parameter is a Java object and only part of the
`toString()` is sensitive. One idea to solve this would be
to support a `SensitiveRenderer` interface with a
"toString(boolean sensitve) method. Then Java objects with
sensitive data could override that.<br>
</p>
<p><br>
</p>
Anyone out there who has an advice? We have a rough
implementation (with a `static public
MessageFormatter.setSensitive(boolean arg);` to toggle the
behavior) that passes the existing test cases (actually fails
the perf tests right now because we used a Matcher.find based
implementation that is 5 times slower), which we of course would
be happy to share if anyone is interested.
<p><br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px"><span
lang="en-US">
<div style="margin:0" align="justify"><font
face="Arial,sans-serif" size="2"><span
style="font-size:10pt"><font
color="#17365D"
face="Calibri,sans-serif" size="3"><span
style="font-size:12pt"></nk><br>
<br>
---<br>
<br>
</span></font></span></font><br>
<div style="color:Black; font-size:10pt">
<div style="color:DarkBlue">Norbert Kiesel</div>
<div style="color:DarkBlue">Systems
Architect | Engineering</div>
<div style="font-size:12pt"><span
style="font-weight:bold">Metric</span>Stream</div>
<div>2600 E. Bayshore Road | Palo Alto, CA
- 94303</div>
<div>+1-650-620-2954 |
<a class="moz-txt-link-abbreviated" \
href="mailto:nkiesel@metricstream.com">nkiesel@metricstream.com</a> | \
<span
style="color:Blue"><a \
class="moz-txt-link-abbreviated" \
href="http://www.metricstream.com">www.metricstream.com</a></span></div> </div>
<font face="Arial,sans-serif" size="2"><span
style="font-size:10pt"><font
color="#17365D"
face="Calibri,sans-serif" size="3"><span
\
style="font-size:12pt"></span></font></span></font></div> </span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p style="font-size:9pt; color:gray; line-height:8pt; font-family:
calibri;"><b><u>Confidentiality Notice:</u></b>This email and
any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are
addressed. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately by e-mail if you
have received this e-mail by mistake and delete this e-mail from
your system. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is
strictly prohibited</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
slf4j-user mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:slf4j-user@qos.ch">slf4j-user@qos.ch</a> <a \
class="moz-txt-link-freetext" \
href="http://mailman.qos.ch/mailman/listinfo/slf4j-user">http://mailman.qos.ch/mailman/listinfo/slf4j-user</a></pre>
</blockquote>
<br>
</body>
</html>
_______________________________________________
slf4j-user mailing list
slf4j-user@qos.ch
http://mailman.qos.ch/mailman/listinfo/slf4j-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic