Hide custom jwt header in logs

anon39196365 · August 29, 2019, 8:14am

We are using a header named jwt for authentication in kibana. The contents of this header is visible in the elasticsearch log. Is it possible to hide the content, just like what happens with contents of the Authorization header? Is it something that needs to be implemented in ROR or can it be configured somehow?

Appriciate any feedback on this. Thanks

sscarduzio · August 29, 2019, 8:50am

Hi Peter, this is a great feature request. Thanks for reaching out.
ReadonlyREST is very flexible and has a lot of integration points, so we cannot really anticipate what headers are to be considered confidential and their value should not be printed in logs.

Will add this to our backlog in Jira.

coutoPL · September 22, 2019, 4:30pm

Hi @anon39196365,
The feature is ready and available in 1.18.6

sscarduzio · September 22, 2019, 4:34pm

Did you document it too? How to use it?

coutoPL · September 22, 2019, 4:49pm

AFAIK no. At the moment there is only test to show how it should be used:

github.com

sscarduzio/elasticsearch-readonlyrest-plugin/blob/master/core/src/test/scala/tech/beshu/ror/unit/acl/factory/CoreFactoryTests.scala#L162


      
            val acl = createCore(config)
            val obfuscatedHeaders = acl.right.get.accessControl.staticContext.obfuscatedHeaders
            obfuscatedHeaders shouldEqual Set(Header.Name.authorization)
          }
          "the section exists, and obfuscated header is not defined" in {
            val config = rorConfigFromUnsafe(
              """
                |readonlyrest:
                |
                |  access_control_rules:
                |
                |  - name: test_block
                |    type: allow
                |    auth_key: admin:container
                |
                |  obfuscated_headers: []
                |""".stripMargin)
            val acl = createCore(config)
            val headers = acl.right.get.accessControl.staticContext.obfuscatedHeaders
            headers shouldBe empty
          }

anon39196365 · September 23, 2019, 6:10am

Thanks! That was implemented quicker than expected