[GitHub] [hadoop] slfan1989 commented on a diff in pull request #4908: YARN-11308. Router Page display the db username and password in mask mode.

Mon, 19 Sep 2022 19:59:42 -0700 


slfan1989 commented on code in PR #4908:
URL: https://github.com/apache/hadoop/pull/4908#discussion_r974841557


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java:
##########
@@ -214,6 +215,12 @@ public final class HttpServer2 implements FilterContainer {
   private StatisticsHandler statsHandler;
   private HttpServer2Metrics metrics;
 
+  private static final String MASK = "******";
+  public static final String FEDERATION_STATESTORE_SQL_USERNAME =
+      "yarn.federation.state-store.sql.username";
+  public static final String FEDERATION_STATESTORE_SQL_PASSWROD =

Review Comment:
   Your suggestion is very good, I read the code and I found that 
`ConfigReactor` provides the ability to provide masks for key configurations.
   
   When `ConfigReactor` is initialized, it will read some configuration 
sensitive keywords. When encountering these keywords, it will return the value 
in mask mode.  But `ConfigReactor` currently only supports json configuration, 
I will add a new method to support xml configuration
   
   ```
   public ConfigRedactor(Configuration conf) {
       String sensitiveRegexList = conf.get(
           HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS,
           HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT);
       List<String> sensitiveRegexes =
           Arrays.asList(StringUtils.getTrimmedStrings(sensitiveRegexList));
       compiledPatterns = new ArrayList<Pattern>();
       for (String regex : sensitiveRegexes) {
         Pattern p = Pattern.compile(regex);
         compiledPatterns.add(p);
       }
     }
   
   public static final String HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT =
         String.join(",",
             "secret$",
             "password$",
             "username$",
             "ssl.keystore.pass$",
             "fs.s3.*[Ss]ecret.?[Kk]ey",
             "fs.s3a.*.server-side-encryption.key",
             "fs.s3a.encryption.algorithm",
             "fs.s3a.encryption.key",
             "fs.azure\\.account.key.*",
             "credential$",
             "oauth.*secret",
             "oauth.*password",
             "oauth.*token",
             HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS);
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to