Skip to content

Mask credentials from stderr for failed Docker logins for local mode #2180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jmahlik opened this issue Mar 2, 2021 · 2 comments
Closed

Mask credentials from stderr for failed Docker logins for local mode #2180

jmahlik opened this issue Mar 2, 2021 · 2 comments
Labels
component: local mode contributions welcome type: feature request UX

Comments

@jmahlik
Copy link
Contributor

jmahlik commented Mar 2, 2021

Describe the bug
A clear and concise description of what the bug is.
Currently uses -p flag to pass credentials. This can result in creds being leaked. Change how docker login is handled or pipe the std err and raise manually on failure.

See conversation in #2146.

To reproduce
A clear, step-by-step set of instructions to reproduce the bug.
See PR, failed docker login = logs have leaked creds.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots or logs
If applicable, add screenshots or logs to help explain your problem.

System information
A description of your system. Please provide:

  • SageMaker Python SDK version:
  • Framework name (eg. PyTorch) or algorithm (eg. KMeans):
  • Framework version:
  • Python version:
  • CPU or GPU:
  • Custom Docker image (Y/N):

Additional context
Add any other context about the problem here.
@ChoiByungWook ChoiByungWook changed the title Docker login for local mode Mask credentials for failed Docker logins for local mode Mar 8, 2021
@ChoiByungWook ChoiByungWook changed the title Mask credentials for failed Docker logins for local mode Mask credentials from stderr for failed Docker logins for local mode Mar 8, 2021
@ahsan-z-khan
Copy link
Member

Hi @jmahlik ,

What would be the expected behavior on this?

@jmahlik
Copy link
Contributor Author

jmahlik commented Mar 16, 2022

Hi @jmahlik ,

What would be the expected behavior on this?

Currently it uses check_output. If the login fails for some reason, like no access, mistyped image, repo etc, the password gets dumped to stdout unaltered. So creds will be show in plain text.

    cmd = "docker login -u AWS -p %s %s" % (token, ecr_url)
    subprocess.check_output(cmd.split())

To avoid the creds getting leaked, it should pass the password via stdin. Something like below should work.

        cmd = [
            "docker",
            "login",
            ecr_url,
            "-u",
            "AWS"
            "--password-stdin",
        ]
        proc = subprocess.Popen(
            cmd,
            stdin=subprocess.PIPE,
        )

        stdout, stderr = proc.communicate(input=token.encode())

        # I don't think the replacing below is necessary, since docker won't leak the creds with this login method
        # But, just in case, possibly need to replace the token with * in the output
        logger.info("%s, %s", stdout.decode().replace(token, "***"), stderr.decode().replace(token, "***"))

jmahlik added a commit to jmahlik/sagemaker-python-sdk that referenced this issue Mar 20, 2022
@jmahlik
fix: local mode printing of credentials during docker login closes aw…
fbc5934 
…s#2180
@jmahlik jmahlik mentioned this issue Mar 20, 2022
Merged
9 tasks
jmahlik added a commit to jmahlik/sagemaker-python-sdk that referenced this issue Mar 20, 2022
@jmahlik
fix: local mode printing of credentials during docker login closes aw…
2810b03 
…s#2180
jmahlik added a commit to jmahlik/sagemaker-python-sdk that referenced this issue Mar 29, 2022
@jmahlik
fix: local mode printing of credentials during docker login closes aw…
e64206f 
…s#2180
jmahlik added a commit to jmahlik/sagemaker-python-sdk that referenced this issue Mar 29, 2022
@jmahlik
fix: local mode printing of credentials during docker login closes aw…
39b74cc 
…s#2180
jerrypeng7773 pushed a commit to jerrypeng7773/sagemaker-python-sdk that referenced this issue May 13, 2022
@jmahlik @jerrypeng7773
fix: local mode printing of credentials during docker login closes aw…
6bd1f4d 
…s#2180 (aws#3014)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: local mode contributions welcome type: feature request UX
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChoiByungWook @jmahlik @ahsan-z-khan