[ambari] branch trunk updated: AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration via the API (just like we do it for service configs) (#2763)

Mon, 14 Jan 2019 08:08:33 -0800 

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new a6aefd1  AMBARI-25043. Make sure we mask password properties when 
fetching sensitive Ambari configuration via the API (just like we do it for 
service configs) (#2763)
a6aefd1 is described below

commit a6aefd1cc942096aa6d212d598618563f6025457
Author: Sandor Molnar <[email protected]>
AuthorDate: Mon Jan 14 17:08:08 2019 +0100

    AMBARI-25043. Make sure we mask password properties when fetching sensitive 
Ambari configuration via the API (just like we do it for service configs) 
(#2763)
---
 ...viceComponentConfigurationResourceProvider.java |  3 +-
 .../ambari/server/utils/SecretReference.java       | 35 +++++++++++++++-------
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RootServiceComponentConfigurationResourceProvider.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RootServiceComponentConfigurationResourceProvider.java
index 11e9da8..1c20bfd 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RootServiceComponentConfigurationResourceProvider.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RootServiceComponentConfigurationResourceProvider.java
@@ -40,6 +40,7 @@ import 
org.apache.ambari.server.controller.spi.UnsupportedPropertyException;
 import org.apache.ambari.server.controller.utilities.PredicateHelper;
 import org.apache.ambari.server.controller.utilities.PropertyHelper;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.ambari.server.utils.SecretReference;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 
@@ -210,7 +211,7 @@ public class 
RootServiceComponentConfigurationResourceProvider extends AbstractA
     setResourceProperty(resource, CONFIGURATION_SERVICE_NAME_PROPERTY_ID, 
serviceName, requestedIds);
     setResourceProperty(resource, CONFIGURATION_COMPONENT_NAME_PROPERTY_ID, 
componentName, requestedIds);
     setResourceProperty(resource, CONFIGURATION_CATEGORY_PROPERTY_ID, 
categoryName, requestedIds);
-    setResourceProperty(resource, CONFIGURATION_PROPERTIES_PROPERTY_ID, 
properties, requestedIds);
+    setResourceProperty(resource, CONFIGURATION_PROPERTIES_PROPERTY_ID, 
SecretReference.maskPasswordInPropertyMap(properties), requestedIds);
     setResourceProperty(resource, CONFIGURATION_PROPERTY_TYPES_PROPERTY_ID, 
propertyTypes, requestedIds);
     return resource;
   }
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java
index dfd925d..7d556c1 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java
@@ -94,17 +94,32 @@ public class SecretReference {
    * @return New string with the passwords masked, or null if the property map 
is null.
    */
   public static String maskPasswordInPropertyMap(String propertyMap) {
-    if (null == propertyMap) return null;
-    Map<String, String> maskedMap = new HashMap<>();
-    Map<String, String> map = gson.fromJson(propertyMap, new 
TypeToken<Map<String, String>>() {}.getType());
-    for (Map.Entry<String, String> e : map.entrySet()) {
-      String value = e.getValue();
-      if (e.getKey().toLowerCase().contains(PASSWORD_TEXT) || 
e.getKey().toLowerCase().contains(PASSWD_TEXT)) {
-        value = secretPrefix;
-      }
-      maskedMap.put(e.getKey(), value);
+    if (null == propertyMap) {
+      return null;
+    }
+    final Map<String, String> map = gson.fromJson(propertyMap, new 
TypeToken<Map<String, String>>() {}.getType());
+    return gson.toJson(maskPasswordInPropertyMap(map));
+  }
+
+  /**
+   * Helper function to mask a string of properties that may contain a 
property with a password.
+   * @param propertyMap Property map to mask by replacing any passwords with 
the text "SECRET"
+   * @return a new map with the passwords masked, or null if the 
<code>propertyMap</code> is null.
+   */
+  public static Map<String, String> maskPasswordInPropertyMap(Map<String, 
String> propertyMap) {
+    if (null == propertyMap) {
+      return null;
+    }
+    final Map<String, String> maskedMap = new HashMap<>();
+    for (Map.Entry<String, String> property : propertyMap.entrySet()) {
+      String value = isPassword(property.getKey()) ? secretPrefix : 
property.getValue();
+      maskedMap.put(property.getKey(), value);
     }
-    return gson.toJson(maskedMap);
+    return maskedMap;
+  }
+
+  private final static boolean isPassword(String propertyName) {
+    return propertyName.toLowerCase().contains(PASSWORD_TEXT) || 
propertyName.toLowerCase().contains(PASSWD_TEXT);
   }
 
   /**

Reply via email to