Richard Zang created AMBARI-12227:
-------------------------------------
Summary: Kerberos Wizard: temporarily stores admin principal /
password in browser's local storage
Key: AMBARI-12227
URL: https://issues.apache.org/jira/browse/AMBARI-12227
Project: Ambari
Issue Type: Bug
Components: ambari-web
Affects Versions: 2.0.0
Reporter: Richard Zang
Assignee: Richard Zang
Priority: Critical
Fix For: 2.1.1
Kerberos admin credentials are stored in the browser's local storage in plain
text during Enable Kerberos Wizard. This is blown away when the user exits the
wizard or on log out.
However, if there is a chance for an attacker without proper Ambari credentials
to look at the Kerberos credentials. For example, the admin can launch Enable
Kerberos Wizard and enters Kerberos admin credentials on the 2nd page, and goes
forward. At this point, Kerberos admin crendentials are stored in browser's
local storage. If the user walks away from his desk, the other user can look in
the browser developer tools to find the Kerberos admin principal and password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
