Skip to content

Add server-side confluentdbutil showattrib subcommand#223

Open
Obihoernchen wants to merge 1 commit into
xcat2:masterfrom
Obihoernchen:showsecret
Open

Add server-side confluentdbutil showattrib subcommand#223
Obihoernchen wants to merge 1 commit into
xcat2:masterfrom
Obihoernchen:showsecret

Conversation

@Obihoernchen

@Obihoernchen Obihoernchen commented Jul 4, 2026

Copy link
Copy Markdown
Member

This PR adds confluentdbutil showattrib <noderange> <attribute>..., which prints stored attribute values directly from the on-disk config store. Unlike nodeattrib, it reveals secret.* (decrypted plaintext, e.g. a node's BMC password) and crypted.* (stored one-way hashes). Reading the store directly, it also works while confluent is stopped. Reuses the daemon's get_node_attributes(..., decrypt=True) and formats values like nodeattrib.

Why

No supported way existed to read a secret back out. The nodeattrib/the API only report whether a secret is set (crypt attributes are masked via msg.CryptedAttributes before any transport). Pretty much every confluent user asks me about this.

Fixes: #200

Security implications

  • Server-side only. Reads the config store and master key directly on disk; plaintext never crosses the socket or HTTP API. The API mask is untouched, so remote clients still cannot retrieve secrets.
  • Root / confluent-user only
  • Read-only, master key unlocked as the daemon does at startup (autogen=False).

Note: This capability "already existed". Any root user on the server could get the same plaintext with a few lines of Python.

Resolved open question

Showing crypted.* too: yes. They're one-way hashes, but exposing the stored hash is handy for automation and makes this a complete offline attribute reader. Now, all attributes are available via this subcommand.

@Obihoernchen Obihoernchen requested a review from jjohnson42 July 4, 2026 14:00

@jjohnson42 jjohnson42 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first glance, thinking it could go for some simplification. Auditlog and checking the user explicitly I think are superfluous since this utility is just run directly as the user without setuid or setgid or any daemon wrapping it.

Comment thread confluent_server/bin/confluentdbutil Outdated
Comment thread confluent_server/bin/confluentdbutil Outdated
@Obihoernchen

Copy link
Copy Markdown
Member Author

Yeah makes sense. Removed these checks.
What's your opinion on showing or not showing crypted.* values?

@jjohnson42

Copy link
Copy Markdown
Member

Might as well show the crypted attributes, maybe of limited utility to most folks, but someone might have a use for it, like feeding it to hashcat to see how well it stands up.

@Obihoernchen

Copy link
Copy Markdown
Member Author

Added crypted values and some notes to nodeattrib man pages.

@Obihoernchen Obihoernchen marked this pull request as ready for review July 4, 2026 16:19
@Obihoernchen Obihoernchen marked this pull request as draft July 4, 2026 17:41
@Obihoernchen

Copy link
Copy Markdown
Member Author

We have no filter now so I'll just make this work for all the attributes so it can be used to get attributes if confluentd is down. This way it's even more useful than just secrets.

@Obihoernchen Obihoernchen force-pushed the showsecret branch 2 times, most recently from bcc5efe to 8b19e19 Compare July 4, 2026 21:28
@Obihoernchen Obihoernchen changed the title Add server-side confluentdbutil showsecret subcommand Add server-side confluentdbutil showattrib subcommand Jul 4, 2026
@Obihoernchen Obihoernchen marked this pull request as ready for review July 4, 2026 21:37
@Obihoernchen

Obihoernchen commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Ok I guess it's finished now and is basically an offline / server-side version of nodeattrib. I just tried to match nodeattribs output formatting but didn't implement all it's features. I think that's more than good enough for it's usecase.

@Obihoernchen Obihoernchen requested a review from jjohnson42 July 4, 2026 21:39
Adds `confluentdbutil showattrib <noderange> <attribute>...` to print the
node attribute.

In contrast to nodeattrib it shows secrets and crypted values, too.
It's server-side only: reads the config store and master key directly, never over
the API.
It's read-only and works without confluentd running.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tabdump/gettab replacements planned?

2 participants