[jira] [Commented] (OOZIE-2803) Mask passwords when printing out configs/args in MapReduceMain and SparkMain

Tue, 21 Feb 2017 22:20:08 -0800 

    [ 
https://issues.apache.org/jira/browse/OOZIE-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15877556#comment-15877556
 ] 

Abhishek Bafna commented on OOZIE-2803:
---------------------------------------

Few points: 
There are some unused imports in the {{MapReduceMain}}.
Fix the java doc for {{PasswordMasker:maskPasswordsIfNecessary}} and 
{{PasswordMasker:mask}}.
All the field members of {{PasswordMasker}} are declared final and class in 
itself does not have any state. it can be converted into Utility Class.

> Mask passwords when printing out configs/args in MapReduceMain and SparkMain
> ----------------------------------------------------------------------------
>
>                 Key: OOZIE-2803
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2803
>             Project: Oozie
>          Issue Type: Bug
>          Components: action
>            Reporter: Peter Bacsko
>            Assignee: Peter Bacsko
>            Priority: Critical
>         Attachments: OOZIE-2803-001.patch, OOZIE-2803-002.patch, 
> OOZIE-2803-003.patch
>
>
> Sometimes passwords are displayed in both MapReduce and Spark action.
> *MapReduce*: when using {{HADOOP_CREDSTORE_PASSWORD}}, it must be passed to 
> some Hadoop-specific config values, like {{mapred.child.env}}. This is easy 
> to fix because we already have a method {{logMasking()}} where you can define 
> a {{maskSet}} which contains a list of property keys to be masked.
> Note that this is not necessarily the perfect solution, since you can pass 
> multiple env. vars separated by a colon, and only the password specific parts 
> should be masked. But we need a working solution relatively quickly - later 
> we can enhance this, eg. we can re-use {{PasswordMasker}} in some way (right 
> now it only works with {{Map<String, String>}}).
> *Spark*:  for Spark, we have to pass passwords like this:
> {{--conf spark.executorEnv.HADOOP_CREDSTORE_PASSWORD=<custom keystore 
> password>}}
> The Spark arguments are printed in {{SparkMain.run()}}. There is already a 
> code in {{LauncherMapper.printArgs()}} which deals with situations like this, 
> but it's not perfect because it only works if the args look something like 
> {{--password pwd123}}. So if a single arg contains a password, it doesn't 
> work, therefore we need a different approach here.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to