-
Notifications
You must be signed in to change notification settings - Fork 428
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mongo URI password visible in process list on Linux #561
Comments
similar request is in #380 . As a secure alternative so far you can use tls connection with
|
hm. I mixed up the things, |
to make it clear |
the issue still seems to be there when we try to make mongo-uri as ENV
The issue still seems to be there when we try to make mongo_uri as ENV when we pass the user and password |
I post that here because the other mentioned issues are container related (#380) or not related at all (#560) regarding the security implication. Will there be any progress on this? As correctly mentioned this is a high security risk and should not be necessary anywhere near production use. |
Describe the bug
Exporter tries to connect with MongoDB using the URI to get the metrics.
Here is the URI format.
mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]
When we do ps -ef we are able to see the password even though we try to render the password via an env and this can be a security breach when we use this in production environment.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
When we go the terminal and do ps -ef, password should be redacted.
Logs
Please provide logs relevant to the issue
Environment
The text was updated successfully, but these errors were encountered: