fix: Mask sensitive fields when reading container registry via the ma…

…nager GQL API (#1627)

changes/1627.fix.md

@@ -0,0 +1 @@
+Mask sensitive fields when reading the container registry information via the manager GraphQL API

src/ai/backend/manager/defs.py

@@ -26,6 +26,8 @@
 # The default container role name for multi-container sessions
 DEFAULT_ROLE: Final = "main"
 
+PASSWORD_PLACEHOLDER: Final = "*****"
+
 _RESERVED_VFOLDER_PATTERNS = [r"^\.[a-z0-9]+rc$", r"^\.[a-z0-9]+_profile$"]
 RESERVED_DOTFILES = [".terminfo", ".jupyter", ".ssh", ".ssh/authorized_keys", ".local", ".config"]
 RESERVED_VFOLDERS = [

src/ai/backend/manager/models/etcd.py

@@ -7,6 +7,7 @@
 
 from ai.backend.common.logging import BraceStyleAdapter
 
+from ..defs import PASSWORD_PLACEHOLDER
 from . import UserRole
 from .base import privileged_mutation, set_if_set
 
@@ -67,6 +68,7 @@ class Meta:
 
     @classmethod
     def from_row(cls, hostname: str, config: Mapping[str, str | list | None]) -> ContainerRegistry:
+        password = config.get("password", None)
         return cls(
             id=hostname,
             hostname=hostname,
@@ -75,7 +77,7 @@ def from_row(cls, hostname: str, config: Mapping[str, str | list | None]) -> Con
                 type=config.get("type"),
                 project=config.get("project", None),
                 username=config.get("username", None),
-                password=config.get("password", None),
+                password=PASSWORD_PLACEHOLDER if password is not None else None,
                 ssl_verify=config.get("ssl_verify", None),
             ),
         )