P2-[4.0 bug hunting]-[BR]-BACKUP command writes secrets to the TiDB log file

[wwar]

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. What did you do?

• I set s3 credentials using aws configure (which writes a ~/.aws/credentials file)
• I ran the SQL to backup to s3:

mysql> BACKUP DATABASE `ontime` TO 's3://wwartmp/ontime3';

2. What did you expect to see?

The access_key is not a secret, but the secret key should have been sanitized in TiDB's log file.

3. What did you see instead?

[2020/05/01 07:12:15.701 -06:00] [INFO] [client.go:743] ["try backup"] ["backup request"="{\"cluster_id\":6821729735252517599,\"start_key\":\"dIAAAAAAAAAvX3IAAAAAAAAAAA==\",\"end_key\":\"dIAAAAAAAAAvX3L//////////wA=\",\"end_version\":416373469521641473,\"concurrency\":4,\"storage_backend\":{\"Backend\":{\"S3\":{\"region\":\"us-east-1\",\"bucket\":\"wwartmp\",\"prefix\":\"ontime3\",\"access_key\":\"AKIA6G4CMMXCXY6LUTXQ\",\"secret_access_key\":\"XXXXXXXXXXXXXXXXXXXXX\"}}}}"]

(The XXXXXXXXXXXXXXXXXXXXX was added by me. It contained my actual secret in the clear).

4. What version of TiDB are you using? (tidb-server -V or run select tidb_version(); on TiDB)

mysql> SELECT tidb_version()\G
*************************** 1. row ***************************
tidb_version(): Release Version: v4.0.0-beta.2-391-g43764a59b
Git Commit Hash: 43764a59b7dcb846dc1e9754e8f125818c69a96f
Git Branch: master
UTC Build Time: 2020-04-30 11:38:13
GoVersion: go1.13.8
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
1 row in set (0.00 sec)

[shuke987]

/bug P1

[gregwebs]

Is this completed now or are we waiting for it to get released?

[shuke987]

/bug P0

[shuke987]

It is fixed, and will released in 4.0.0. It can be closed

[gregwebs]

4.0 is release now, should this be closed? I don't have permission to close it.