Remove or Redact the user and password from the url.full opentelemetry field.

[zitzerd]

When testing Elasticsearch cliente 8.15.x with aspire, i notice that the trace includes the username and password of the connection when using basic auth,

Is it possible to redact or remove the user password? or as a workaround remove the field, till its redacted.

Thanks

[flobernd]

Hi @zitzerd , sorry for the late reply.

May I ask how you specify the basic-auth username/password?

var settings = new ElasticsearchClientSettings(new Uri("https://..."))
    .Authentication(new BasicAuthentication("elastic", "my_password"))

creates a HTTP Basic-Auth header which should never end up in the url.

If you explicitly use https://user:pass@my_host it will of course be part of the url and be logged in all relevant places.

[zitzerd]

Hi @flobernd, thanks for the reply!

Im using the aspire integration and specifying a password on the host side.

They are actually sending the u/p in the url as a connectionstring env var, after your mail i debugged the integration and they are passing the full url in the method CreateElasticSearchClientSettings that use a ElasticSearchClientSettings default constructor.

Ill talk with them, and in the mean time ill send my own ElasticSearchClientSettings on the client side. and see if the aspire team so they can improve the client integration.

private static ElasticsearchClientSettings CreateElasticsearchClientSettings(
    ElasticClientsElasticsearchSettings settings,
    string connectionName,
    string configurationSectionName)
{
    if (settings.Endpoint is not null)
    {
        return new ElasticsearchClientSettings(settings.Endpoint); 
    }
    else if (settings.CloudId is not null && settings.ApiKey is not null)
    {
        return new(settings.CloudId, new ApiKey(settings.ApiKey));
    }

    throw new InvalidOperationException(
                  $"A ElasticsearchClient could not be configured. Ensure valid connection information was provided in 'ConnectionStrings:{connectionName}' or either " +
                  $"{nameof(settings.Endpoint)} must be provided " +
                  $"in the '{configurationSectionName}' configuration section.");
}

[flobernd]

Thanks for checking! This indeed looks like something that should be fixed in the Elasticsearch Aspire package 🙂

Please let me know, if there is anything else I can do; otherwise I'm going to close this issue for now.

[github-actions]

This issue is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 2 days.

[github-actions]

This issue was closed because it has been stalled for 2 days with no activity.