[ambari] branch trunk updated: AMBARI-25391: Ambari logging Grafana Password in ActionQueue.py (#3497)

Mon, 14 Nov 2022 08:42:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d1cb2cb025 AMBARI-25391: Ambari logging Grafana Password in 
ActionQueue.py (#3497)
d1cb2cb025 is described below

commit d1cb2cb025f8a868bbabe451fbbf0d2354a924dc
Author: Zhiguo Wu <[email protected]>
AuthorDate: Tue Nov 15 00:39:41 2022 +0800

    AMBARI-25391: Ambari logging Grafana Password in ActionQueue.py (#3497)
---
 .../src/main/python/ambari_agent/ActionQueue.py        | 12 ++++++++++--
 .../src/test/python/ambari_agent/TestActionQueue.py    | 18 +++++++++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ambari-agent/src/main/python/ambari_agent/ActionQueue.py 
b/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
index 3c979a6b3f..60d84eda88 100644
--- a/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
+++ b/ambari-agent/src/main/python/ambari_agent/ActionQueue.py
@@ -25,6 +25,7 @@ import os
 import ambari_simplejson as json
 import time
 import signal
+import re
 
 from AgentException import AgentException
 from ambari_agent.BackgroundCommandExecutionHandle import 
BackgroundCommandExecutionHandle
@@ -37,6 +38,13 @@ installScriptHash = -1
 
 MAX_SYMBOLS_PER_LOG_MESSAGE = 7900
 
+PASSWORD_REPLACEMENT = '[PROTECTED]'
+PASSWORD_PATTERN = re.compile(r"('\S*password':\s*u?')(\S+)(')")
+
+def hide_passwords(text):
+  """ Replaces the matching passwords with **** in the given text """
+  return None if text is None else 
PASSWORD_PATTERN.sub(r'\1{}\3'.format(PASSWORD_REPLACEMENT), text)
+
 
 class ActionQueue(threading.Thread):
   """ Action Queue for the agent. We pick one command at a time from the queue
@@ -393,12 +401,12 @@ class ActionQueue(threading.Thread):
     If logs are redirected to syslog (syslog_enabled=1), this is very useful 
for logging big messages.
     As syslog usually truncates long messages.
     """
-    chunks = split_on_chunks(text, MAX_SYMBOLS_PER_LOG_MESSAGE)
+    chunks = split_on_chunks(hide_passwords(text), MAX_SYMBOLS_PER_LOG_MESSAGE)
     if len(chunks) > 1:
       for i in range(len(chunks)):
         logger.info("Cmd log for taskId={0} and chunk {1}/{2} of log for 
command: \n".format(taskId, i+1, len(chunks)) + chunks[i])
     else:
-      logger.info("Cmd log for taskId={0}: ".format(taskId) + text)
+      logger.info("Cmd log for taskId={0}: ".format(taskId) + chunks[0])
 
   def get_retry_delay(self, last_delay):
     """
diff --git a/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py 
b/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
index ac14da4e35..16aff70017 100644
--- a/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
+++ b/ambari-agent/src/test/python/ambari_agent/TestActionQueue.py
@@ -21,7 +21,7 @@ from Queue import Queue
 
 from unittest import TestCase
 from ambari_agent.LiveStatus import LiveStatus
-from ambari_agent.ActionQueue import ActionQueue
+from ambari_agent.ActionQueue import ActionQueue, hide_passwords
 from ambari_agent.AmbariConfig import AmbariConfig
 import os, errno, time, pprint, tempfile, threading
 import sys
@@ -1167,6 +1167,22 @@ class TestActionQueue(TestCase):
     },
   }
 
+  def test_hide_passwords_no_matching_password(self):
+    self.assertEqual(hide_passwords(None), None)
+    self.assertEqual(hide_passwords('No password in this text'), 'No password 
in this text')
+    self.assertEqual(hide_passwords("No 'password' 'in' this text'"), "No 
'password' 'in' this text'")
+    self.assertEqual(hide_passwords("No 'password': in this text"), "No 
'password': in this text")
+    self.assertEqual(hide_passwords("No u'password': u'' in this text"), "No 
u'password': u'' in this text")
+
+  def test_hide_passwords(self):
+    self.assertEqual(hide_passwords("u'password': u'changeIT!'"), 
"u'password': u'[PROTECTED]'")
+    self.assertEqual(hide_passwords("'password': 'password'"), "'password': 
'[PROTECTED]'")
+    self.assertEqual(hide_passwords("'some.password': 'password', 
'other.password': 'password',"), "'some.password': '[PROTECTED]', 
'other.password': '[PROTECTED]',")
+    self.assertEqual(hide_passwords("u'metrics_grafana_password': 
u'mypassword123!'"), "u'metrics_grafana_password': u'[PROTECTED]'")
+
+    self.assertEqual(hide_passwords("u'metrics_grafana_username': u'admin', 
u'metrics_grafana_password': u'mypassword123!', some text, 
u'clientssl.keystore.password': u'myKeyFilePassword', another text, "),
+                     "u'metrics_grafana_username': u'admin', 
u'metrics_grafana_password': u'[PROTECTED]', some text, 
u'clientssl.keystore.password': u'[PROTECTED]', another text, ")
+
 def patch_output_file(pythonExecutor):
   def windows_py(command, tmpout, tmperr):
     proc = MagicMock()


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to