Ability to prevent sensitive object content from getting written to logs [JIRA: RIAK-1916]

[michellep-basho]

Sorry for the redundancy, switching github accts :)

Description: Under certain conditions log files (e.g. crash.log) will pull in the contents of unencrypted or uncompressed objects. This is a problem for customers that store sensitive data especially if the log files need to be shared for troubleshooting purposes. These customers would like to have the option of excluding this data from the logs.

Drivers: data sensitivity

Requestors: customers, Ciprian M (Basho)

[jonmeredith]

erlang:process_flag(sensitive, true) will help with the crash.log, at the price of not being able to debug problems. Controlling that being set may be an option. Logging in general is tougher and requires a full audit.

Perhaps providing the notion of never-user-data, permit-keys, all-data or something like that as a configuration setting for either Riak or lager, and adding some extended modifiers to mark sensitive data in the format string.

[binarytemple]

@cipy didn't you have a suggestion in the chat room, about controlling the size of the dumps?

@jonmeredith would it require a patch to set erlang:process_flag(sensitive, true) before riak_core started up?

[jonmeredith]

@binarytemple nope, sensitive processes would need to check on startup - could potentially do it as a bucket type property.

[jonmeredith]

... for extra clarity.

The process itself needs to set it once it is created.

[binarytemple]

Is this going anywhere or should we just close out?