Supreeth Sharma created ZEPPELIN-3323:
-----------------------------------------

             Summary: SSL Passwords are stored in plaintext and world readable 
in zeppelin-site.xml
                 Key: ZEPPELIN-3323
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3323
             Project: Zeppelin
          Issue Type: Bug
          Components: zeppelin-server
    Affects Versions: 0.7.3
            Reporter: Supreeth Sharma


'zeppelin.ssl.key.manager.password', 'zeppelin.ssl.keystore.password', 
'zeppelin.ssl.truststore.password' are stored as plaintext in zeppelin-site.xml 
and by default every body has read permission on this file.

{code}
[root@ctr-e138-1518143905142-88013-01-000003 ~]# ls -ltr 
/etc/zeppelin/conf/zeppelin-site.xml
-rw-r--r-- 1 zeppelin zeppelin 4090 Mar 11 16:30 
/etc/zeppelin/conf/zeppelin-site.xml
{code}

Either we should encrypt these passwords or atleast have appropriate file 
permissions to restrict every one from reading the password.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to