[
https://issues.apache.org/jira/browse/OOZIE-1814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15534612#comment-15534612
]
Robert Kanter edited comment on OOZIE-1814 at 9/30/16 12:52 AM:
----------------------------------------------------------------
Two last trivial things, and then I think we're ready:
# Let's make {{PasswordMasker.PASSWORD_MASK}} private. In the tests that are
currently using this, instead hardcode the value ({{"*****"}}). We typically
don't use constants in tests; the idea being that if someone were to
accidentally change a constant, that'll cause the test to fail, so it will be
easier to notice.
# There's 11 lines longer than 132 characters. Can you check and fix these?
It's okay if they're in the json test files (just mention that in your next
comment), we'll just ignore test-patch in that case.
was (Author: rkanter):
Two last trivial things, and then I think we're ready:
# Let's make {{PasswordMasker.PASSWORD_MASK}} private. In the tests that are
currently using this, instead use the value ({{"*****"}}). We typically don't
use constants in tests; the idea being that if someone were to accidentally
change a constant, that'll cause the test to fail, so it will be easier to
notice.
# There's 11 lines longer than 132 characters. Can you check and fix these?
It's okay if they're in the json test files (just mention that in your next
comment), we'll just ignore test-patch in that case.
> Oozie should mask any passwords in logs and REST interfaces
> -----------------------------------------------------------
>
> Key: OOZIE-1814
> URL: https://issues.apache.org/jira/browse/OOZIE-1814
> Project: Oozie
> Issue Type: Bug
> Affects Versions: trunk
> Reporter: Bowen Zhang
> Assignee: Andras Piros
> Labels: newbie
> Fix For: 4.3.0
>
> Attachments: OOZIE-1814.002.patch, OOZIE-1814.003.patch,
> OOZIE-1814.004.patch, OOZIE-1814.005.patch, OOZIE-1814.006.patch,
> oozie-1814.patch
>
>
> Following passwords are currently visible in the instrumentation log, REST
> endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
> * {{javax.net.ssl.trustStorePassword}}
> * {{oozie.https.keystore.pass}}
> * {{HADOOP_CREDSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_KEYSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_TRUSTSTORE_PASSWORD}}
> There are a few examples that illustrate password leakage.
> {noformat}
> # grep -i pass /var/log/oozie/oozie-instrumentation.log
> OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
> javax.net.ssl.trustStorePassword = password
> oozie.https.keystore.pass = password
> HADOOP_CREDSTORE_PASSWORD = password
> OOZIE_HTTPS_KEYSTORE_PASSWORD = password
> CATALINA_OPTS = -Xms603979776 -Xmx603979776
> -XX:+HeapDumpOnOutOfMemoryError
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
> -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh
> -Doozie.home.dir=/usr/lib/oozie
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER
> -Doozie.log.dir=/var/log/oozie
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
> -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log
> -Doozie.instance.id=nightly-1.gce.cloudera.com
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks
> -Djavax.net.ssl.trustStorePassword=password
> {noformat}
> Oozie dumps the env vars and Java sys props to the instrumentation log on
> startup.
> {noformat}
> # curl --negotiate -u foo:bar -k
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m
> json.tool | grep -i pass
> "CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
> -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh
> -Doozie.home.dir=/usr/lib/oozie
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER
> -Doozie.log.dir=/var/log/oozie
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
> -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log
> -Doozie.instance.id=nightly-1.gce.cloudera.com
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks
> -Djavax.net.ssl.trustStorePassword=password ",
> "HADOOP_CREDSTORE_PASSWORD": "password",
> "OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
> "OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
> {noformat}
> {noformat}
> # curl --negotiate -u foo:bar -k
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties |
> python -m json.tool | grep -i pass
> "javax.net.ssl.trustStorePassword": "password",
> "oozie.https.keystore.pass": "password",
> {noformat}
> The REST API has two endpoints, {{admin/os-env}} and
> {{admin/java-sys-properties}}, which are also available in the Web UI and
> CLI. These expose the env vars and Java sys props too.
> We should mask these like we do for the configuration endpoint.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
