Sangeeta Ravindran created AMBARI-18129:
-------------------------------------------
Summary: Mask trust-store password returned in plain-text by API
call
Key: AMBARI-18129
URL: https://issues.apache.org/jira/browse/AMBARI-18129
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: trunk
Reporter: Sangeeta Ravindran
Assignee: Sangeeta Ravindran
If a trustore has been configured for Ambari Server, the SSL truststore
password is returned in plain text by the following api call:
https://<hostname:portnum>/api/v1/services/AMBARI/components/AMBARI_SERVER
Sample output:
{
"href" :
"https://<hostname>:<portnum>/api/v1/services/AMBARI/components/AMBARI_SERVER",
"RootServiceComponents" : {
"component_name" : "AMBARI_SERVER",
"component_version" : "2.4.0.0",
"server_clock" : 1470943672,
"service_name" : "AMBARI",
"properties" : {
"agent.package.install.task.timeout" : "1800",
"agent.stack.retry.on_repo_unavailability" : "false",
"agent.stack.retry.tries" : "5",
"agent.task.timeout" : "900",
"agent.threadpool.size.max" : "25",
"ambari-server.user" : "root",
"ambari.python.wrap" : "ambari-python-wrap",
"api.ssl" : "true",
"bootstrap.dir" : "/var/run/ambari-server/bootstrap",
"bootstrap.script" :
"/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py",
"bootstrap.setup_agent.script" :
"/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py",
"check_database_skipped" : "false",
"client.api.port" : "8081",
"client.api.ssl.cert_name" : "https.crt",
"client.api.ssl.key_name" : "https.key",
"client.api.ssl.port" : "<portnum>",
"client.threadpool.size.max" : "25",
"common.services.path" :
"/var/lib/ambari-server/resources/common-services",
"custom.action.definitions" :
"/var/lib/ambari-server/resources/custom_action_definitions",
"extensions.path" : "/var/lib/ambari-server/resources/extensions",
"http.strict-transport-security" : "max-age=31536000",
"http.x-frame-options" : "DENY",
"http.x-xss-protection" : "1; mode=block",
"java.home" : "/usr/jdk64/jdk1.8.0_60",
"java.releases" : "jdk1.8,jdk1.7",
"java.version" : "1.8",
"jce.download.supported" : "true",
"jce.name" : "jce_policy-8.zip",
"jdk.download.supported" : "true",
"jdk.name" : "jdk-8u60-linux-x64.tar.gz",
"jdk1.7.desc" : "Oracle JDK 1.7 + Java Cryptography Extension (JCE)
Policy Files 7",
"jdk1.7.dest-file" : "jdk-7u67-linux-x64.tar.gz",
"jdk1.7.home" : "/usr/jdk64/",
"jdk1.7.jcpol-file" : "UnlimitedJCEPolicyJDK7.zip",
"jdk1.7.jcpol-url" :
"http://public-repo-1.hortonworks.com/ARTIFACTS/UnlimitedJCEPolicyJDK7.zip";,
"jdk1.7.re" : "(jdk.*)/jre",
"jdk1.7.url" :
"http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-7u67-linux-x64.tar.gz";,
"jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE)
Policy Files 8",
"jdk1.8.dest-file" : "jdk-8u60-linux-x64.tar.gz",
"jdk1.8.home" : "/usr/jdk64/",
"jdk1.8.jcpol-file" : "jce_policy-8.zip",
"jdk1.8.jcpol-url" :
"http://public-repo-1.hortonworks.com/ARTIFACTS/jce_policy-8.zip";,
"jdk1.8.re" : "(jdk.*)/jre",
"jdk1.8.url" :
"http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-8u60-linux-x64.tar.gz";,
"jdk_location" : "https://<hostname>:<portnum>/resources/",
"kerberos.keytab.cache.dir" : "/var/lib/ambari-server/data/cache",
"metadata.path" : "/var/lib/ambari-server/resources/stacks",
"mpacks.staging.path" : "/var/lib/ambari-server/resources/mpacks",
"pid.dir" : "/var/run/ambari-server",
"recommendations.artifacts.lifetime" : "1w",
"recommendations.dir" : "/var/run/ambari-server/stack-recommendations",
"resources.dir" : "/var/lib/ambari-server/resources",
"rolling.upgrade.skip.packages.prefixes" : "",
"security.server.disabled.ciphers" :
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384|TLS_DHE_RSA_WITH_AES_256_CBC_SHA256|TLS_DHE_DSS_WITH_AES_256_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_DSS_WITH_AES_256_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_DSS_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_DSS_WITH_AES_128_CBC_SHA|TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA|TLS_EMPTY_RENEGOTIATION_INFO_SCSV|TLS_DH_anon_WITH_AES_256_CBC_SHA256|TLS_ECDH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA256|TLS_ECDH_anon_WITH_AES_128_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA|TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA|SSL_DH_anon_WITH_3DES_EDE_CBC_SHA|SSL_RSA_WITH_DES_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_DH_anon_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA|TLS_RSA_WITH_NULL_SHA256|TLS_ECDHE_ECDSA_WITH_NULL_SHA|TLS_ECDHE_RSA_WITH_NULL_SHA|SSL_RSA_WITH_NULL_SHA|TLS_ECDH_ECDSA_WITH_NULL_SHA|TLS_ECDH_RSA_WITH_NULL_SHA|TLS_ECDH_anon_WITH_NULL_SHA|SSL_RSA_WITH_NULL_MD5|TLS_KRB5_WITH_3DES_EDE_CBC_SHA|TLS_KRB5_WITH_3DES_EDE_CBC_MD5|TLS_KRB5_WITH_DES_CBC_SHA|TLS_KRB5_WITH_DES_CBC_MD5|TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA|TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
"security.server.keys_dir" : "/var/lib/ambari-server/keys",
"server.connection.max.idle.millis" : "900000",
"server.execution.scheduler.isClustered" : "false",
"server.execution.scheduler.maxDbConnections" : "5",
"server.execution.scheduler.maxThreads" : "5",
"server.execution.scheduler.misfire.toleration.minutes" : "480",
"server.fqdn.service.url" :
"http://169.254.169.254/latest/meta-data/public-hostname";,
"server.http.session.inactive_timeout" : "1800",
"server.jdbc.connection-pool" : "internal",
"server.jdbc.database" : "postgres",
"server.jdbc.database_name" : "ambari",
"server.jdbc.postgres.schema" : "ambari",
"server.jdbc.user.name" : "ambari",
"server.jdbc.user.passwd" : "/etc/ambari-server/conf/password.dat",
"server.os_family" : "redhat6",
"server.os_type" : "redhat6",
"server.persistence.type" : "local",
"server.stages.parallel" : "true",
"server.task.timeout" : "1200",
"server.tmp.dir" : "/var/lib/ambari-server/data/tmp",
"server.version.file" : "/var/lib/ambari-server/resources/version",
"shared.resources.dir" :
"/usr/lib/ambari-server/lib/ambari_commons/resources",
"skip.service.checks" : "false",
"ssl.trustStore.password" : "mypassword",
"ssl.trustStore.path" : "/root/cacerts.jks",
"ssl.trustStore.type" : "jks",
"stackadvisor.script" :
"/var/lib/ambari-server/resources/scripts/stack_advisor.py",
"ulimit.open.files" : "10000",
"user.inactivity.timeout.default" : "0",
"user.inactivity.timeout.role.readonly.default" : "0",
"views.ambari.request.connect.timeout.millis" : "30000",
"views.ambari.request.read.timeout.millis" : "45000",
"views.http.strict-transport-security" : "max-age=31536000",
"views.http.x-frame-options" : "SAMEORIGIN",
"views.http.x-xss-protection" : "1; mode=block",
"views.request.connect.timeout.millis" : "5000",
"views.request.read.timeout.millis" : "10000",
"webapp.dir" : "/usr/lib/ambari-server/web"
}
},
"hostComponents" : [
{
"href" :
"https://<hostname>:<portnum>/api/v1/services/AMBARI/hosts/<hostname>/hostComponents/AMBARI_SERVER",
"RootServiceHostComponents" : {
"component_name" : "AMBARI_SERVER",
"host_name" : "<hostname>",
"service_name" : "AMBARI"
}
}
]
}
The API returns the entire contents of the
/etc/ambari-server/conf/ambari.properties file.
The ssl.trustStore.password should be masked.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
