[ambari] branch branch-2.7 updated: AMBARI-25391 Ambari logging Grafana Password in ActionQueue.py (santal) (#3097)

Mon, 14 Oct 2019 02:31:52 -0700 

This is an automated email from the ASF dual-hosted git repository.

asnaik pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new f5cc6a4  AMBARI-25391 Ambari logging Grafana Password in 
ActionQueue.py (santal) (#3097)
f5cc6a4 is described below

commit f5cc6a46d1d56eebff294d2071a43b9f88b3d705
Author: Szilárd Antal <[email protected]>
AuthorDate: Mon Oct 14 11:31:30 2019 +0200

    AMBARI-25391 Ambari logging Grafana Password in ActionQueue.py (santal) 
(#3097)
    
    * AMBARI-25391 Ambari logging Grafana Password in ActionQueue.py (santal)
    
    * changed password replacement value
---
 .../src/main/python/ambari_agent/ActionQueue.py        | 12 ++++++++++--
 .../src/test/python/ambari_agent/TestActionQueue.py    | 18 +++++++++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ambari-agent/src/main/python/ambari_agent/ActionQueue.py 
b/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
index 072083a..3403b98 100644
--- a/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
+++ b/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
@@ -25,6 +25,7 @@ import os
 import ambari_simplejson as json
 import time
 import signal
+import re
 
 from AgentException import AgentException
 from ambari_agent.BackgroundCommandExecutionHandle import 
BackgroundCommandExecutionHandle
@@ -37,6 +38,13 @@ installScriptHash = -1
 
 MAX_SYMBOLS_PER_LOG_MESSAGE = 7900
 
+PASSWORD_REPLACEMENT = '[PROTECTED]'
+PASSWORD_PATTERN = re.compile(r"('\S*password':\s*u?')(\S+)(')")
+
+def hide_passwords(text):
+  """ Replaces the matching passwords with **** in the given text """
+  return None if text is None else 
PASSWORD_PATTERN.sub(r'\1{}\3'.format(PASSWORD_REPLACEMENT), text)
+
 
 class ActionQueue(threading.Thread):
   """ Action Queue for the agent. We pick one command at a time from the queue
@@ -393,12 +401,12 @@ class ActionQueue(threading.Thread):
     If logs are redirected to syslog (syslog_enabled=1), this is very useful 
for logging big messages.
     As syslog usually truncates long messages.
     """
-    chunks = split_on_chunks(text, MAX_SYMBOLS_PER_LOG_MESSAGE)
+    chunks = split_on_chunks(hide_passwords(text), MAX_SYMBOLS_PER_LOG_MESSAGE)
     if len(chunks) > 1:
       for i in range(len(chunks)):
         logger.info("Cmd log for taskId={0} and chunk {1}/{2} of log for 
command: \n".format(taskId, i+1, len(chunks)) + chunks[i])
     else:
-      logger.info("Cmd log for taskId={0}: ".format(taskId) + text)
+      logger.info("Cmd log for taskId={0}: ".format(taskId) + chunks[0])
 
   def get_retry_delay(self, last_delay):
     """
diff --git a/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py 
b/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
index ac14da4..16aff70 100644
--- a/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
+++ b/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
@@ -21,7 +21,7 @@ from Queue import Queue
 
 from unittest import TestCase
 from ambari_agent.LiveStatus import LiveStatus
-from ambari_agent.ActionQueue import ActionQueue
+from ambari_agent.ActionQueue import ActionQueue, hide_passwords
 from ambari_agent.AmbariConfig import AmbariConfig
 import os, errno, time, pprint, tempfile, threading
 import sys
@@ -1167,6 +1167,22 @@ class TestActionQueue(TestCase):
     },
   }
 
+  def test_hide_passwords_no_matching_password(self):
+    self.assertEqual(hide_passwords(None), None)
+    self.assertEqual(hide_passwords('No password in this text'), 'No password 
in this text')
+    self.assertEqual(hide_passwords("No 'password' 'in' this text'"), "No 
'password' 'in' this text'")
+    self.assertEqual(hide_passwords("No 'password': in this text"), "No 
'password': in this text")
+    self.assertEqual(hide_passwords("No u'password': u'' in this text"), "No 
u'password': u'' in this text")
+
+  def test_hide_passwords(self):
+    self.assertEqual(hide_passwords("u'password': u'changeIT!'"), 
"u'password': u'[PROTECTED]'")
+    self.assertEqual(hide_passwords("'password': 'password'"), "'password': 
'[PROTECTED]'")
+    self.assertEqual(hide_passwords("'some.password': 'password', 
'other.password': 'password',"), "'some.password': '[PROTECTED]', 
'other.password': '[PROTECTED]',")
+    self.assertEqual(hide_passwords("u'metrics_grafana_password': 
u'mypassword123!'"), "u'metrics_grafana_password': u'[PROTECTED]'")
+
+    self.assertEqual(hide_passwords("u'metrics_grafana_username': u'admin', 
u'metrics_grafana_password': u'mypassword123!', some text, 
u'clientssl.keystore.password': u'myKeyFilePassword', another text, "),
+                     "u'metrics_grafana_username': u'admin', 
u'metrics_grafana_password': u'[PROTECTED]', some text, 
u'clientssl.keystore.password': u'[PROTECTED]', another text, ")
+
 def patch_output_file(pythonExecutor):
   def windows_py(command, tmpout, tmperr):
     proc = MagicMock()

Reply via email to