From 3eb2c0453941eeef37fe533146414cc942cb0c3e Mon Sep 17 00:00:00 2001
From: octodog <mu001@lablup.com>
Date: Fri, 29 Nov 2024 10:00:15 +0900
Subject: [PATCH] fix: Prevent redis password from being logged (#3031) (#3165)

Co-authored-by: Gyubong Lee <jopemachine@naver.com>
---
 changes/3031.fix.md              |  1 +
 src/ai/backend/common/types.py   |  7 +++++++
 src/ai/backend/storage/server.py | 20 ++++++++++++++++----
 3 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 changes/3031.fix.md

diff --git a/changes/3031.fix.md b/changes/3031.fix.md
new file mode 100644
index 0000000000..4a478e6ade
--- /dev/null
+++ b/changes/3031.fix.md
@@ -0,0 +1 @@
+Prevent redis password from being logged.
diff --git a/src/ai/backend/common/types.py b/src/ai/backend/common/types.py
index 7c468af0e1..36cf7131dd 100644
--- a/src/ai/backend/common/types.py
+++ b/src/ai/backend/common/types.py
@@ -1117,6 +1117,13 @@ class EtcdRedisConfig(TypedDict, total=False):
     redis_helper_config: RedisHelperConfig
 
 
+def safe_print_redis_config(config: EtcdRedisConfig) -> str:
+    safe_config = config.copy()
+    if "password" in safe_config:
+        safe_config["password"] = "********"
+    return str(safe_config)
+
+
 class RedisHelperConfig(TypedDict, total=False):
     socket_timeout: float
     socket_connect_timeout: float
diff --git a/src/ai/backend/storage/server.py b/src/ai/backend/storage/server.py
index 70cbde78f5..f6d2eae533 100644
--- a/src/ai/backend/storage/server.py
+++ b/src/ai/backend/storage/server.py
@@ -26,7 +26,7 @@
 from ai.backend.common.defs import REDIS_STREAM_DB
 from ai.backend.common.events import EventDispatcher, EventProducer
 from ai.backend.common.logging import BraceStyleAdapter, Logger
-from ai.backend.common.types import LogSeverity
+from ai.backend.common.types import LogSeverity, safe_print_redis_config
 from ai.backend.common.utils import env_info
 
 from . import __version__ as VERSION
@@ -95,7 +95,11 @@ async def server_main(
             redis_config = redis_config_iv.check(
                 await etcd.get_prefix("config/redis"),
             )
-            log.info("PID: {0} - configured redis_config: {1}", pidx, redis_config)
+            log.info(
+                "PID: {0} - configured redis_config: {1}",
+                pidx,
+                safe_print_redis_config(redis_config),
+            )
         except Exception as e:
             log.exception("Unable to read config from etcd")
             raise e
@@ -105,7 +109,11 @@ async def server_main(
             db=REDIS_STREAM_DB,
             log_events=local_config["debug"]["log-events"],
         )
-        log.info("PID: {0} - Event producer created. (redis_config: {1})", pidx, redis_config)
+        log.info(
+            "PID: {0} - Event producer created. (redis_config: {1})",
+            pidx,
+            safe_print_redis_config(redis_config),
+        )
         event_dispatcher = await EventDispatcher.new(
             redis_config,
             db=REDIS_STREAM_DB,
@@ -113,7 +121,11 @@ async def server_main(
             node_id=local_config["storage-proxy"]["node-id"],
             consumer_group=EVENT_DISPATCHER_CONSUMER_GROUP,
         )
-        log.info("PID: {0} - Event dispatcher created. (redis_config: {1})", pidx, redis_config)
+        log.info(
+            "PID: {0} - Event dispatcher created. (redis_config: {1})",
+            pidx,
+            safe_print_redis_config(redis_config),
+        )
         if local_config["storage-proxy"]["use-watcher"]:
             if not _is_root():
                 raise ValueError(