Default security password in logs [solved]


#1

I noticed that some Spinnaker services (gate for instance) print some default Spring Security password:

/tmp → kubectl logs spin-gate-v022-6xqxl -c spin-gate | grep password
Using default security password: 4a98a7c1-b06a-4805-8e6e-4e43bfc49072

The same goes for Orca, Clouddriver, Front50.

That raises questions by our security team.

What’s the purpose of this password? If there’s none then it should be completely disabled in my opinion. Any thoughts?


#2

Created an issue: https://github.com/spinnaker/spinnaker/issues/2616


#3

This password is automatically generated by Spring Boot when Spring Security is detected. As you probably can tell, it’s a random GUID and changes at every restart.

You can set it to a known quantity (therefore preventing it from being printed to the logs) by these settings in either ~/.hal/$DEPLOYMENT/profiles/spinnaker-local.yml or $SERVICENAME-local.yml (see here for more details on custom profiles):

security:
  user:
    name: user # default
    password: s3kr3t

An admin can then use HTTP basic authentication with this username password to access “management endpoints” on each service, such as /env, /autoconfig, etc. See Spring Boot docs for additional context.