[ 
https://issues.apache.org/jira/browse/OOZIE-1814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andras Piros updated OOZIE-1814:
--------------------------------
    Attachment: OOZIE-1814.003.patch

Some confusing regexes have been given names.

> Oozie should mask any passwords in logs and REST interfaces
> -----------------------------------------------------------
>
>                 Key: OOZIE-1814
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1814
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Bowen Zhang
>            Assignee: Andras Piros
>              Labels: newbie
>             Fix For: 4.3.0
>
>         Attachments: OOZIE-1814.002.patch, OOZIE-1814.003.patch, 
> oozie-1814.patch
>
>
> Following passwords are currently visible in the instrumentation log, REST 
> endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
> * {{javax.net.ssl.trustStorePassword}}
> * {{oozie.https.keystore.pass}}
> * {{HADOOP_CREDSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_KEYSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_TRUSTSTORE_PASSWORD}}
> There are a few examples that illustrate password leakage.
> {noformat}
> # grep -i pass /var/log/oozie/oozie-instrumentation.log
>     OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
>     javax.net.ssl.trustStorePassword = password
>     oozie.https.keystore.pass = password
>     HADOOP_CREDSTORE_PASSWORD = password
>     OOZIE_HTTPS_KEYSTORE_PASSWORD = password
>     CATALINA_OPTS = -Xms603979776 -Xmx603979776 
> -XX:+HeapDumpOnOutOfMemoryError 
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
>  -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh 
> -Doozie.home.dir=/usr/lib/oozie 
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER 
> -Doozie.log.dir=/var/log/oozie 
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
>  -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties 
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com 
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true 
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log 
> -Doozie.instance.id=nightly-1.gce.cloudera.com 
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks 
> -Djavax.net.ssl.trustStorePassword=password
> {noformat}
> Oozie dumps the env vars and Java sys props to the instrumentation log on 
> startup.
> {noformat}
> # curl --negotiate -u foo:bar -k 
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m 
> json.tool | grep -i pass
> "CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError 
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
>  -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh 
> -Doozie.home.dir=/usr/lib/oozie 
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER 
> -Doozie.log.dir=/var/log/oozie 
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
>  -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties 
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com 
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true 
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log 
> -Doozie.instance.id=nightly-1.gce.cloudera.com 
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks 
> -Djavax.net.ssl.trustStorePassword=password ",
>     "HADOOP_CREDSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
> {noformat}
> {noformat}
> # curl --negotiate -u foo:bar -k 
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties | 
> python -m json.tool | grep -i pass
>     "javax.net.ssl.trustStorePassword": "password",
>     "oozie.https.keystore.pass": "password",
> {noformat}
> The REST API has two endpoints, {{admin/os-env}} and 
> {{admin/java-sys-properties}}, which are also available in the Web UI and 
> CLI.  These expose the env vars and Java sys props too.
> We should mask these like we do for the configuration endpoint.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to