[jira] [Comment Edited] (OOZIE-1814) Oozie should mask any passwords in logs and REST interfaces

[Andras Piros (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OOZIE-1814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15528763#comment-15528763
 ] 

Andras Piros edited comment on OOZIE-1814 at 9/28/16 7:54 AM:
--------------------------------------------------------------

Thanks :) My thoughts on that few thingies:
# OK, putting to whitelist all the {{.json}} files
# This subclass {{MetricsLoggerService}} is really in the same package. 
Existing test classes are also in the same package. Right now I don't feel the 
need of inheriting classes not in the same package. If there will be one, or 
the only existing child will be moved to another package, we can relax the 
[*visibility 
constraint*|http://stackoverflow.com/questions/215497/in-java-difference-between-default-public-protected-and-private]
 once again
# For the sake of testability it's best [*not to have static 
methods*|http://misko.hevery.com/2008/07/30/top-10-things-which-make-your-code-hard-to-test].
 At the moment {{PasswordMasker.mask()}} is a leaf method (no collaborators of 
other classes are called) so if you really want I can make it {{static}}. But 
later when this class won't be leaf anymore the one performing extension will 
be responsible to make it non-{{static}} again... Best not to have it in the 
first place. For the JVM creating many small short-lived {{Object}} instances 
and getting rid of them I also wouldn't feel [*any 
headache*|http://programmers.stackexchange.com/questions/149563/should-we-avoid-object-creation-in-java]


was (Author: andras.piros):
Thanks :) My thoughts on that few thingies:
# OK, putting to whitelist all the {{.json}} files
# This subclass {{MetricsLoggerService}} is really in the same package. 
Existing test classes are also in the same package. Right now I don't feel the 
need of having the need for inheriting classes not in the same package. If 
there will be one, or the only existing child will be moved to another package, 
we can relax the visibility constraint once again
# For the sake of testability it's best [*not to have static 
methods*|http://misko.hevery.com/2008/07/30/top-10-things-which-make-your-code-hard-to-test].
 At the moment {{PasswordMasker.mask()}} is a leaf method (no collaborators of 
other classes are called) so if you really want I can make it {{static}}. But 
later when this class won't be leaf anymore the one performing extension will 
be responsible to make it non-{{static}} again... Best not to have it in the 
first place. For the JVM creating many small short-lived {{Object}} instances 
and getting rid of them I also wouldn't feel [*any 
headache*|http://programmers.stackexchange.com/questions/149563/should-we-avoid-object-creation-in-java]

> Oozie should mask any passwords in logs and REST interfaces
> -----------------------------------------------------------
>
>                 Key: OOZIE-1814
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1814
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Bowen Zhang
>            Assignee: Andras Piros
>              Labels: newbie
>             Fix For: 4.3.0
>
>         Attachments: OOZIE-1814.002.patch, OOZIE-1814.003.patch, 
> OOZIE-1814.004.patch, OOZIE-1814.005.patch, oozie-1814.patch
>
>
> Following passwords are currently visible in the instrumentation log, REST 
> endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
> * {{javax.net.ssl.trustStorePassword}}
> * {{oozie.https.keystore.pass}}
> * {{HADOOP_CREDSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_KEYSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_TRUSTSTORE_PASSWORD}}
> There are a few examples that illustrate password leakage.
> {noformat}
> # grep -i pass /var/log/oozie/oozie-instrumentation.log
>     OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
>     javax.net.ssl.trustStorePassword = password
>     oozie.https.keystore.pass = password
>     HADOOP_CREDSTORE_PASSWORD = password
>     OOZIE_HTTPS_KEYSTORE_PASSWORD = password
>     CATALINA_OPTS = -Xms603979776 -Xmx603979776 
> -XX:+HeapDumpOnOutOfMemoryError 
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
>  -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh 
> -Doozie.home.dir=/usr/lib/oozie 
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER 
> -Doozie.log.dir=/var/log/oozie 
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
>  -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties 
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com 
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true 
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log 
> -Doozie.instance.id=nightly-1.gce.cloudera.com 
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks 
> -Djavax.net.ssl.trustStorePassword=password
> {noformat}
> Oozie dumps the env vars and Java sys props to the instrumentation log on 
> startup.
> {noformat}
> # curl --negotiate -u foo:bar -k 
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m 
> json.tool | grep -i pass
> "CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError 
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
>  -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh 
> -Doozie.home.dir=/usr/lib/oozie 
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER 
> -Doozie.log.dir=/var/log/oozie 
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
>  -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties 
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com 
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true 
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log 
> -Doozie.instance.id=nightly-1.gce.cloudera.com 
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks 
> -Djavax.net.ssl.trustStorePassword=password ",
>     "HADOOP_CREDSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
> {noformat}
> {noformat}
> # curl --negotiate -u foo:bar -k 
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties | 
> python -m json.tool | grep -i pass
>     "javax.net.ssl.trustStorePassword": "password",
>     "oozie.https.keystore.pass": "password",
> {noformat}
> The REST API has two endpoints, {{admin/os-env}} and 
> {{admin/java-sys-properties}}, which are also available in the Web UI and 
> CLI.  These expose the env vars and Java sys props too.
> We should mask these like we do for the configuration endpoint.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)