[jira] [Work logged] (HDFS-16563) Namenode WebUI prints sensitve information on Token Expiry

Thu, 28 Apr 2022 12:53:45 -0700 


     [ 
https://issues.apache.org/jira/browse/HDFS-16563?focusedWorklogId=763853&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-763853
 ]

ASF GitHub Bot logged work on HDFS-16563:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 28/Apr/22 19:52
            Start Date: 28/Apr/22 19:52
    Worklog Time Spent: 10m 
      Work Description: prasad-acit commented on PR #4241:
URL: https://github.com/apache/hadoop/pull/4241#issuecomment-1112597494

   Thanks @hemanthboyina @Hexiaoqiao @steveloughran for the quick review & 
feedback.
   
   > the key and sensitive information is DelegationKey/Password for 
DelegationToken, the output message here does not include this information 
right?
   Yes, there is no password printed in it. But as per our internal security 
guidelines displaying the complete Token info is also prohibited. So, 
suppressed the token from being displayed in the browser.
   > if the issue is that toString leaks a secret, it should be fixed at that 
level, as it is likely to end up in logs. we don't want any output to expose 
secrets.
   Logging exception or full stack has no issue in this case. We are trying to 
avoid the token in the browser and keep the message abstract to the end-user. 
Here additional information is not necessary which can be avoided in the 
browser.
   
   Failed tests corrected, please review the changes.
   
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 763853)
    Time Spent: 1h 10m  (was: 1h)

> Namenode WebUI prints sensitve information on Token Expiry
> ----------------------------------------------------------
>
>                 Key: HDFS-16563
>                 URL: https://issues.apache.org/jira/browse/HDFS-16563
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: namanode, security, webhdfs
>            Reporter: Renukaprasad C
>            Assignee: Renukaprasad C
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2022-04-27-23-01-16-033.png, 
> image-2022-04-27-23-28-40-568.png
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Login to Namenode WebUI.
> Wait for token to expire. (Or modify the Token refresh time 
> dfs.namenode.delegation.token.renew/update-interval to lower value)
> Refresh the WebUI after the Token expiry.
> Full token information gets printed in WebUI.
>  
> !image-2022-04-27-23-01-16-033.png!



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to