#747 Worker Log desensitization(日志脱敏) (#1568)

* modify FileUtils.readFile2Str * #1300 Add right alignment function in sql email content * cancel formatted for alert_mail_template.ftl * #747 sql task password Log desensitization * cancel mail_temple * edit ExcelUtils * modify test method name * #747 sql task password Log desensitization * Constants add DATASOURCE_PASSWORD_REGEX
5 years ago · eefb71855d
6 changed files with 268 additions and 2 deletions
--- a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/Constants.java
+++ b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/Constants.java
@ -36,7 +36,6 @@ public final class Constants {
     */
    public static final String HADOOP_PROPERTIES_PATH = "/common/hadoop/hadoop.properties";
    /**
     * common properties path
     */
@ -1007,4 +1006,9 @@ public final class Constants {
    public static final String RECEIVERS = "receivers";
    public static final String RECEIVERS_CC = "receiversCc";
    /**
     * dataSource sensitive param
     */
    public static final String DATASOURCE_PASSWORD_REGEX = "(?<=(\"password\":\")).*?(?=(\"))";
 }
--- a/dolphinscheduler-server/src/main/java/org/apache/dolphinscheduler/server/utils/SensitiveLogUtil.java
+++ b/dolphinscheduler-server/src/main/java/org/apache/dolphinscheduler/server/utils/SensitiveLogUtil.java
@ -0,0 +1,39 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.apache.dolphinscheduler.server.utils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.dolphinscheduler.common.Constants;
 /**
 *  sensitive log Util
 */
 public class SensitiveLogUtil {
    /**
     * @param dataSourcePwd data source password
     * @return String
     */
    public static String maskDataSourcePwd(String dataSourcePwd){
        if (StringUtils.isNotEmpty(dataSourcePwd)) {
            dataSourcePwd = Constants.PASSWORD_DEFAULT;
        }
        return dataSourcePwd;
    }
 }
--- a/dolphinscheduler-server/src/main/java/org/apache/dolphinscheduler/server/worker/log/SensitiveDataConverter.java
+++ b/dolphinscheduler-server/src/main/java/org/apache/dolphinscheduler/server/worker/log/SensitiveDataConverter.java
@ -0,0 +1,92 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.apache.dolphinscheduler.server.worker.log;
 import ch.qos.logback.classic.pattern.MessageConverter;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.dolphinscheduler.common.Constants;
 import org.apache.dolphinscheduler.server.utils.SensitiveLogUtil;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 /**
 * sensitive data log converter
 */
@Slf4j
 public class SensitiveDataConverter extends MessageConverter {
    /**
     * password pattern
     */
    private final Pattern pwdPattern = Pattern.compile(Constants.DATASOURCE_PASSWORD_REGEX);
    @Override
    public String convert(ILoggingEvent event) {
        // get original log
        String requestLogMsg = event.getFormattedMessage();
        // desensitization log
        return convertMsg(requestLogMsg);
    }
    /**
     * deal with sensitive log
     *
     * @param oriLogMsg original log
     */
    private String convertMsg(final String oriLogMsg) {
        String tempLogMsg = oriLogMsg;
        if (StringUtils.isNotEmpty(tempLogMsg)) {
            tempLogMsg = passwordHandler(pwdPattern, tempLogMsg);
        }
        return tempLogMsg;
    }
    /**
     * password regex
     *
     * @param logMsg original log
     */
    private String passwordHandler(Pattern pwdPattern, String logMsg) {
        Matcher matcher = pwdPattern.matcher(logMsg);
        StringBuffer sb = new StringBuffer(logMsg.length());
        while (matcher.find()) {
            String password = matcher.group();
            String maskPassword = SensitiveLogUtil.maskDataSourcePwd(password);
            matcher.appendReplacement(sb, maskPassword);
        }
        matcher.appendTail(sb);
        return sb.toString();
    }
 }
--- a/dolphinscheduler-server/src/main/resources/worker_logback.xml
+++ b/dolphinscheduler-server/src/main/resources/worker_logback.xml
@ -18,6 +18,8 @@
 <!-- Logback configuration. See http://logback.qos.ch/manual/index.html -->
 <configuration scan="true" scanPeriod="120 seconds">
    <conversionRule conversionWord="msg"
                    converterClass="org.apache.dolphinscheduler.server.worker.log.SensitiveDataConverter"/>
    <property name="log.base" value="logs"/>
    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
@ -31,7 +33,7 @@
        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
            <level>INFO</level>
        </filter>
-        <filter class="org.apache.dolphinscheduler.server.worker.log.TaskLogFilter"></filter>
+        <filter class="org.apache.dolphinscheduler.server.worker.log.TaskLogFilter"/>
        <Discriminator class="org.apache.dolphinscheduler.server.worker.log.TaskLogDiscriminator">
            <key>taskAppId</key>
            <logBase>${log.base}</logBase>
--- a/dolphinscheduler-server/src/test/java/org/apache/dolphinscheduler/server/utils/SensitiveLogUtilTest.java
+++ b/dolphinscheduler-server/src/test/java/org/apache/dolphinscheduler/server/utils/SensitiveLogUtilTest.java
@ -0,0 +1,37 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.apache.dolphinscheduler.server.utils;
 import org.apache.dolphinscheduler.common.Constants;
 import org.junit.Assert;
 import org.junit.Test;
 public class SensitiveLogUtilTest {
    @Test
    public void testMaskDataSourcePwd() {
        String password = "123456";
        String emptyPassword = "";
        Assert.assertEquals(Constants.PASSWORD_DEFAULT, SensitiveLogUtil.maskDataSourcePwd(password));
        Assert.assertEquals("", SensitiveLogUtil.maskDataSourcePwd(emptyPassword));
    }
 }
--- a/dolphinscheduler-server/src/test/java/org/apache/dolphinscheduler/server/worker/log/SensitiveDataConverterTest.java
+++ b/dolphinscheduler-server/src/test/java/org/apache/dolphinscheduler/server/worker/log/SensitiveDataConverterTest.java
@ -0,0 +1,92 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.apache.dolphinscheduler.server.worker.log;
 import org.apache.dolphinscheduler.common.Constants;
 import org.apache.dolphinscheduler.server.utils.SensitiveLogUtil;
 import org.junit.Assert;
 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 public class SensitiveDataConverterTest {
    private final Logger logger = LoggerFactory.getLogger(SensitiveDataConverterTest.class);
    /**
     * password pattern
     */
    private final Pattern pwdPattern = Pattern.compile(Constants.DATASOURCE_PASSWORD_REGEX);
    /**
     * mask sensitive logMsg - sql task datasource password
     */
    @Test
    public void testPwdLogMsgConverter() {
        String logMsg = "{\"address\":\"jdbc:mysql://192.168.xx.xx:3306\"," +
                "\"database\":\"carbond\"," +
                "\"jdbcUrl\":\"jdbc:mysql://192.168.xx.xx:3306/ods\"," +
                "\"user\":\"view\"," +
                "\"password\":\"view1\"}";
        String maskLogMsg = "{\"address\":\"jdbc:mysql://192.168.xx.xx:3306\"," +
                "\"database\":\"carbond\"," +
                "\"jdbcUrl\":\"jdbc:mysql://192.168.xx.xx:3306/ods\"," +
                "\"user\":\"view\"," +
                "\"password\":\"******\"}";
        logger.info("parameter : {}", logMsg);
        logger.info("parameter : {}", passwordHandler(pwdPattern, logMsg));
        Assert.assertNotEquals(logMsg, passwordHandler(pwdPattern, logMsg));
        Assert.assertEquals(maskLogMsg, passwordHandler(pwdPattern, logMsg));
    }
    /**
     * password regex test
     *
     * @param logMsg original log
     */
    private static String passwordHandler(Pattern pattern, String logMsg) {
        Matcher matcher = pattern.matcher(logMsg);
        StringBuffer sb = new StringBuffer(logMsg.length());
        while (matcher.find()) {
            String password = matcher.group();
            String maskPassword = SensitiveLogUtil.maskDataSourcePwd(password);
            matcher.appendReplacement(sb, maskPassword);
        }
        matcher.appendTail(sb);
        return sb.toString();
    }
 }