[
https://issues.apache.org/jira/browse/HDFS-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986860#comment-13986860
]
Haohui Mai commented on HDFS-6310:
----------------------------------
bq. The actual keys are excluded. If you think the rest contain sensitive
information, please clarify.
bq. I don't feel the concern with outputting the secret manger state is valid.
If the user has access to the fsimage to run oiv, then they obviously can
extract the state in other ways. The oiv tool is useful in debugging the state
of the fsimage. Selectively omitting some of the state impedes debugging.
As long as the key is out this should be fine. What I don't want is that an
attacker can print out the token using oiv and then use the token directly,
which might give an attacker a handy way to attack the system.
bq. It concerns me that a documented tool (oiv), with external tools built
around it, is being indiscriminately made incompatible within minor releases.
I guess we might need to clarify what compatibility means in this context. The
format of the XML closely have been closely matching the internal layout of the
fsimage since at least 2.2. The oiv of PB-based fsimage follows this tradition.
> PBImageXmlWriter should output information about Delegation Tokens
> ------------------------------------------------------------------
>
> Key: HDFS-6310
> URL: https://issues.apache.org/jira/browse/HDFS-6310
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: tools
> Affects Versions: 2.4.0
> Reporter: Akira AJISAKA
> Assignee: Akira AJISAKA
> Attachments: HDFS-6310.patch
>
>
> Separated from HDFS-6293.
> The 2.4.0 pb-fsimage does contain tokens, but OfflineImageViewer with -XML
> option does not show any tokens.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
