When running CREATE USER command, does secret password appear in plain text (in logs, etc.)?

Hello,

When running CREATE USER commnad, does secret password appear in plain text (in logs, etc.)? According to Create user — CrateDB: Tutorials I can run the following SQL command in crash:

cr> CREATE USER username WITH (password = 'a_secret_password');

but then I wonder if the password will be visible in plain text in log files, history files, etc.

Is there a workaround for this?

For example, when I use PostgreSQL’s psql command line client, I can use \password command and “This makes sure that the new password does not appear in cleartext in the command history, the server log, or elsewhere.”

1 Like

By default this would not be logged to disk, as job logs are not persisted. However it would show up in sys.jobs_log table. Only the crate super user has access to all jobs logs. (i.e. you would need access to the cluster itself to see or change passwords).

One can set a stats.jobs_log_filter like

classification['type'] = 'DDL'

or

stmt LIKE 'CREATE USER%'

to prevent any logging

1 Like