[
https://issues.apache.org/jira/browse/AMBARI-12227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zang updated AMBARI-12227:
----------------------------------
Attachment: AMBARI-12227.patch
> Kerberos Wizard: temporarily stores admin principal / password in browser's
> local storage
> -----------------------------------------------------------------------------------------
>
> Key: AMBARI-12227
> URL: https://issues.apache.org/jira/browse/AMBARI-12227
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.0.0
> Reporter: Richard Zang
> Assignee: Richard Zang
> Priority: Critical
> Fix For: 2.1.1
>
> Attachments: AMBARI-12227.patch
>
>
> Kerberos admin credentials are stored in the browser's local storage in plain
> text during Enable Kerberos Wizard. This is blown away when the user exits
> the wizard or on log out.
> However, if there is a chance for an attacker without proper Ambari
> credentials to look at the Kerberos credentials. For example, the admin can
> launch Enable Kerberos Wizard and enters Kerberos admin credentials on the
> 2nd page, and goes forward. At this point, Kerberos admin crendentials are
> stored in browser's local storage. If the user walks away from his desk, the
> other user can look in the browser developer tools to find the Kerberos admin
> principal and password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
