[Buildbot-commits] [Buildbot] #1748: Allow obfuscating passwords, etc. on the master

Buildbot trac trac at buildbot.net
Tue Jul 2 08:52:41 UTC 2013 

#1748: Allow obfuscating passwords, etc. on the master
------------------------+--------------------
Reporter:  GreYFoX      |       Owner:
    Type:  enhancement  |      Status:  new
Priority:  minor        |   Milestone:  0.8.+
 Version:  0.8.3        |  Resolution:
Keywords:  sprint       |
------------------------+--------------------

Comment (by rutsky):

 Replying to [comment:9 dustin]:
 > Does that solution work?  The command is echoed in a few places on the
 slave, too, I believe.  Perhaps not for the svn step, but for shell
 commands in general.

 I think it should work.  On the slave side (real, fake) tuples are handled
 in `Obfuscated` class, so if arguments were obfuscated by it before (like
 in slave-side svn step), it will be obfuscated now too.  I didn't found
 other places where command arguments leaked, except into Twisted logs,
 like `log.msg(...)`.


 > I think that the web status is a bit late to hide that information - it
 means that we need to have a way of persisting the "hidden" state all the
 way from the slave, to the master, through the db and mq interfaces, and
 into the web UI.  And in the 'nine' world, we would need to do the access
 control at the REST API layer.

 Currently all commands on slave started through
 `buildbot.process.buildstep.RemoteCommand` (or subclasses of it).  I
 thought that since slave outputs exactly same command arguments as passed
 through `RemoteCommand` and since `RemoteCommand` handles all output, it
 is possible to write into output logs command arguments directly from
 `RemoteCommand`, and handle obfuscation on master side in `RemoteCommand`.
 I had ideas about separating output from buildslave described in
 [#comment8], but they are raw for now, and such implementation only for
 command arguments obfuscating is overkill.

 So if approach implemented in my branch works, should I finish it (write
 tests, documentation)?  Or you have better suggestions about how
 obfuscating should be done?

-- 
Ticket URL: <http://trac.buildbot.net/ticket/1748#comment:11>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation

More information about the Commits mailing list