[jira] [Commented] (KNOX-2147) Keep username and password out of KnoxShellTableCallHistory

Thu, 19 Dec 2019 00:25:56 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-2147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16999841#comment-16999841
 ] 

ASF subversion and git services commented on KNOX-2147:
-------------------------------------------------------

Commit eac277811863f7b41b6d9c8a312f299c3862fca8 in knox's branch 
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=eac2778 ]

KNOX-2147 - Mask username/password in case we display call history and keep 
them safely (by setting proper file permissions) in JSON file (#217)



> Keep username and password out of KnoxShellTableCallHistory 
> ------------------------------------------------------------
>
>                 Key: KNOX-2147
>                 URL: https://issues.apache.org/jira/browse/KNOX-2147
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxShell
>            Reporter: Larry McCay
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.4.0
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> In working on KNOX-2132, I couldn't actually get the call history to work and 
> was therefore unable to make sure that the username and password params don't 
> end up in the persisted history or at least not rendered in the listing.
> Either call history no longer works or I just don't know how to enable it. 
> Tests don't seem to cover the actual AOP based capture but record hardcoded 
> calls rather than actual table interactions. I also notice that the 
> aspectjrt.jar isn't being placed in the lib dir for knoxshell which seems 
> broken.
> So, first thing to do is ensure that call history is actually working and fix 
> it if not. Then determine what to do about the username and password and 
> persistence of call histories as the means for reconstituting a dataset. Do 
> we build in a required login which would mean that the dataset rehydration 
> would require a user interaction for login? Do we encrypt the credentials - 
> if so, using what as a key and how to manage it? Do we just rely on file 
> permissions?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to