Updated Branches: refs/heads/master 57d1762e1 -> 292566356
OOZIE-1641 Oozie should mask the signature secret in the configuration output (rkanter) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/29256635 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/29256635 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/29256635 Branch: refs/heads/master Commit: 292566356c8ddeab657ad3e54bfd514151f51872 Parents: 57d1762 Author: Robert Kanter <[email protected]> Authored: Thu Jan 2 13:24:35 2014 -0800 Committer: Robert Kanter <[email protected]> Committed: Thu Jan 2 13:24:35 2014 -0800 ---------------------------------------------------------------------- .../oozie/service/ConfigurationService.java | 32 +++++++++++------ .../org/apache/oozie/util/Instrumentation.java | 13 ++----- .../oozie/service/TestConfigurationService.java | 17 +++++++++ core/src/test/resources/oozie-site-mask.xml | 36 ++++++++++++++++++++ release-log.txt | 1 + 5 files changed, 77 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/29256635/core/src/main/java/org/apache/oozie/service/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/service/ConfigurationService.java b/core/src/main/java/org/apache/oozie/service/ConfigurationService.java index 1c02802..798782e 100644 --- a/core/src/main/java/org/apache/oozie/service/ConfigurationService.java +++ b/core/src/main/java/org/apache/oozie/service/ConfigurationService.java @@ -82,8 +82,7 @@ public class ConfigurationService implements Service, Instrumentable { private static final Set<String> IGNORE_SYS_PROPS = new HashSet<String>(); private static final String IGNORE_TEST_SYS_PROPS = "oozie.test."; - - private static final String PASSWORD_PROPERTY_END = ".password"; + private static final Set<String> MASK_PROPS = new HashSet<String>(); static { IGNORE_SYS_PROPS.add(CONF_IGNORE_SYS_PROPS); @@ -101,6 +100,10 @@ public class ConfigurationService implements Service, Instrumentable { IGNORE_SYS_PROPS.add(XLogService.OOZIE_LOG_DIR); IGNORE_SYS_PROPS.add(XLogService.LOG4J_FILE); IGNORE_SYS_PROPS.add(XLogService.LOG4J_RELOAD); + + // These properties should be masked when displayed because they contain sensitive info (e.g. password) + MASK_PROPS.add(JPAService.CONF_PASSWORD); + MASK_PROPS.add("oozie.authentication.signature.secret"); } public static final String DEFAULT_CONFIG_FILE = "oozie-default.xml"; @@ -218,8 +221,7 @@ public class ConfigurationService implements Service, Instrumentable { try { StringWriter writer = new StringWriter(); for (Map.Entry<String, String> entry : configuration) { - boolean maskValue = entry.getKey().endsWith(PASSWORD_PROPERTY_END); - String value = (maskValue) ? "**MASKED**" : entry.getValue(); + String value = getValue(configuration, entry.getKey()); writer.write(" " + entry.getKey() + " = " + value + "\n"); } writer.close(); @@ -274,7 +276,7 @@ public class ConfigurationService implements Service, Instrumentable { public String get(String name, String defaultValue) { String value = get(name); if (value == null) { - boolean maskValue = name.endsWith(PASSWORD_PROPERTY_END); + boolean maskValue = MASK_PROPS.contains(name); value = defaultValue; String logValue = (maskValue) ? "**MASKED**" : defaultValue; log.warn(XLog.OPS, "Configuration property [{0}] not found, using default [{1}]", name, logValue); @@ -284,7 +286,7 @@ public class ConfigurationService implements Service, Instrumentable { public void set(String name, String value) { setValue(name, value); - boolean maskValue = name.endsWith(PASSWORD_PROPERTY_END); + boolean maskValue = MASK_PROPS.contains(name); value = (maskValue) ? "**MASKED**" : value; log.info(XLog.OPS, "Programmatic configuration change, property[{0}]=[{1}]", name, value); } @@ -312,24 +314,32 @@ public class ConfigurationService implements Service, Instrumentable { return configFile; } }); - instr.setConfiguration(configuration); } /** * Return a configuration with all sensitive values masked. * - * @param conf configuration to mask. * @return masked configuration. */ - public static Configuration maskPasswords(Configuration conf) { + public Configuration getMaskedConfiguration() { XConfiguration maskedConf = new XConfiguration(); + Configuration conf = getConf(); for (Map.Entry<String, String> entry : conf) { String name = entry.getKey(); - boolean maskValue = name.endsWith(PASSWORD_PROPERTY_END); - String value = (maskValue) ? "**MASKED**" : entry.getValue(); + String value = getValue(conf, name); maskedConf.set(name, value); } return maskedConf; } + private String getValue(Configuration config, String key) { + String value; + if (MASK_PROPS.contains(key)) { + value = "**MASKED**"; + } + else { + value = config.get(key); + } + return value; + } } http://git-wip-us.apache.org/repos/asf/oozie/blob/29256635/core/src/main/java/org/apache/oozie/util/Instrumentation.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/Instrumentation.java b/core/src/main/java/org/apache/oozie/util/Instrumentation.java index ca17f50..39ee334 100644 --- a/core/src/main/java/org/apache/oozie/util/Instrumentation.java +++ b/core/src/main/java/org/apache/oozie/util/Instrumentation.java @@ -19,6 +19,7 @@ package org.apache.oozie.util; import org.apache.hadoop.conf.Configuration; import org.apache.oozie.service.ConfigurationService; +import org.apache.oozie.service.Services; import java.util.ArrayList; import java.util.Collection; @@ -46,7 +47,6 @@ public class Instrumentation { private Lock timerLock; private Lock variableLock; private Lock samplerLock; - private Configuration configuration; private Map<String, Map<String, Map<String, Object>>> all; private Map<String, Map<String, Element<Long>>> counters; private Map<String, Map<String, Element<Timer>>> timers; @@ -554,15 +554,6 @@ public class Instrumentation { } /** - * Set the system configuration. - * - * @param configuration system configuration. - */ - public void setConfiguration(Configuration configuration) { - this.configuration = configuration; - } - - /** * Return the JVM system properties. * * @return JVM system properties. @@ -587,7 +578,7 @@ public class Instrumentation { * @return the current system configuration as a Map<String,String>. */ public Map<String, String> getConfiguration() { - final Configuration maskedConf = ConfigurationService.maskPasswords(configuration); + final Configuration maskedConf = Services.get().get(ConfigurationService.class).getMaskedConfiguration(); return new Map<String, String>() { public int size() { http://git-wip-us.apache.org/repos/asf/oozie/blob/29256635/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java index e00a252..80495c8 100644 --- a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java +++ b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java @@ -17,9 +17,11 @@ */ package org.apache.oozie.service; +import org.apache.hadoop.conf.Configuration; import org.apache.oozie.test.XTestCase; import org.apache.oozie.util.IOUtils; +import java.io.DataOutputStream; import java.io.File; import java.io.FileOutputStream; @@ -98,4 +100,19 @@ public class TestConfigurationService extends XTestCase { cl.destroy(); } + + public void testMaskProperties() throws Exception { + prepareOozieConfDir("oozie-site-mask.xml"); + ConfigurationService cl = new ConfigurationService(); + cl.init(null); + Configuration conf = cl.getConf(); + assertEquals("my-secret", conf.get("oozie.authentication.signature.secret")); + assertEquals("my-password", conf.get("oozie.service.JPAService.jdbc.password")); + assertEquals("true", conf.get("oozie.is.awesome")); + conf = cl.getMaskedConfiguration(); + assertEquals("**MASKED**", conf.get("oozie.authentication.signature.secret")); + assertEquals("**MASKED**", conf.get("oozie.service.JPAService.jdbc.password")); + assertEquals("true", conf.get("oozie.is.awesome")); + cl.destroy(); + } } http://git-wip-us.apache.org/repos/asf/oozie/blob/29256635/core/src/test/resources/oozie-site-mask.xml ---------------------------------------------------------------------- diff --git a/core/src/test/resources/oozie-site-mask.xml b/core/src/test/resources/oozie-site-mask.xml new file mode 100644 index 0000000..e88836e --- /dev/null +++ b/core/src/test/resources/oozie-site-mask.xml @@ -0,0 +1,36 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration> + + <property> + <name>oozie.authentication.signature.secret</name> + <value>my-secret</value> + </property> + + <property> + <name>oozie.service.JPAService.jdbc.password</name> + <value>my-password</value> + </property> + + <property> + <name>oozie.is.awesome</name> + <value>true</value> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/oozie/blob/29256635/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index a14c3c8..7f4613f 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 4.1.0 release (trunk - unreleased) +OOZIE-1641 Oozie should mask the signature secret in the configuration output (rkanter) OOZIE-1655 Change oozie.service.JPAService.validate.db.connection to true (rkanter) OOZIE-1643 Oozie doesn't parse Hadoop Job Id from the Hive action (rkanter) OOZIE-1632 Coordinators that undergo change endtime but are doneMaterialization, not getting picked for StatusTransit (mona)
