st2-api-key not obfuscated when using core.http?
#5.804 aberto em 14 de nov. de 2022
Métricas do repositório
- Stars
- (5.794 stars)
- Métricas de merge de PR
- (Nenhuma PRs mesclada em 30d)
Description
SUMMARY
I have 2 ST2 instances (independent of each other and in different networks) and want them to communicate with each other via API using API keys. However, when providing st2-api-key to headers of action core.http, the API key is visible in plain-text in both st2web and in CLI. This is not desirable, as I want the users to be able to use the keys, but not unintentionally share them during any screen sharing sessions. Masking is set in the config for both [api] and [log] (and any actions I've created that use the "secret" tag are masked properly) in st2.conf and I've even tried adding st2-api-key into mask_secrets_blacklist. I've tried to clone the runner, but headers are not overridable (can't just create my own http runner with headers marked as "secret"). Before going on and writing my own http as a python action, I wanted to ask whether I'm doing something wrong, as it seems obvious to me that any auth info should be obfuscated by default.
STACKSTORM VERSION
[root@st2 st2]# st2 --version st2 3.7.0, on Python 3.8.12 [root@st2 st2]#
OS, environment, install method
custom install on a RHEL8
Steps to reproduce the problem
Use core.http with st2-api-key: in st2web.
Expected Results
Expected the value of the API key to be obfuscated.
Actual Results
The API key is visible in plaintext.
Making sure to follow these steps will guarantee the quickest resolution possible.
Thanks!