[jira] [Resolved] (AMBARI-18129) Mask trust-store password returned in plain-text by API call

Fri, 12 Aug 2016 10:46:44 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-18129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sangeeta Ravindran resolved AMBARI-18129.
-----------------------------------------
    Resolution: Invalid

Specifying ambari-server setup-security option 2 encrypts passwords in the 
ambari.properties file

> Mask trust-store password returned in plain-text by API call
> ------------------------------------------------------------
>
>                 Key: AMBARI-18129
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18129
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: trunk
>            Reporter: Sangeeta Ravindran
>            Assignee: Sangeeta Ravindran
>
> If a trustore has been configured for Ambari Server, the SSL truststore 
> password is returned in plain text by the following api call:
> https://<hostname:portnum>/api/v1/services/AMBARI/components/AMBARI_SERVER
> Sample output:
> {
>   "href" : 
> "https://<hostname>:<portnum>/api/v1/services/AMBARI/components/AMBARI_SERVER",
>   "RootServiceComponents" : {
>     "component_name" : "AMBARI_SERVER",
>     "component_version" : "2.4.0.0",
>     "server_clock" : 1470943672,
>     "service_name" : "AMBARI",
>     "properties" : {
>       "agent.package.install.task.timeout" : "1800",
>       "agent.stack.retry.on_repo_unavailability" : "false",
>       "agent.stack.retry.tries" : "5",
>       "agent.task.timeout" : "900",
>       "agent.threadpool.size.max" : "25",
>       "ambari-server.user" : "root",
>       "ambari.python.wrap" : "ambari-python-wrap",
>       "api.ssl" : "true",
>       "bootstrap.dir" : "/var/run/ambari-server/bootstrap",
>       "bootstrap.script" : 
> "/usr/lib/python2.6/site-packages/ambari_server/bootstrap.py",
>       "bootstrap.setup_agent.script" : 
> "/usr/lib/python2.6/site-packages/ambari_server/setupAgent.py",
>       "check_database_skipped" : "false",
>       "client.api.port" : "8081",
>       "client.api.ssl.cert_name" : "https.crt",
>       "client.api.ssl.key_name" : "https.key",
>       "client.api.ssl.port" : "<portnum>",
>       "client.threadpool.size.max" : "25",
>       "common.services.path" : 
> "/var/lib/ambari-server/resources/common-services",
>       "custom.action.definitions" : 
> "/var/lib/ambari-server/resources/custom_action_definitions",
>       "extensions.path" : "/var/lib/ambari-server/resources/extensions",
>       "http.strict-transport-security" : "max-age=31536000",
>       "http.x-frame-options" : "DENY",
>       "http.x-xss-protection" : "1; mode=block",
>       "java.home" : "/usr/jdk64/jdk1.8.0_60",
>       "java.releases" : "jdk1.8,jdk1.7",
>       "java.version" : "1.8",
>       "jce.download.supported" : "true",
>       "jce.name" : "jce_policy-8.zip",
>       "jdk.download.supported" : "true",
>       "jdk.name" : "jdk-8u60-linux-x64.tar.gz",
>       "jdk1.7.desc" : "Oracle JDK 1.7 + Java Cryptography Extension (JCE) 
> Policy Files 7",
>       "jdk1.7.dest-file" : "jdk-7u67-linux-x64.tar.gz",
>       "jdk1.7.home" : "/usr/jdk64/",
>       "jdk1.7.jcpol-file" : "UnlimitedJCEPolicyJDK7.zip",
>       "jdk1.7.jcpol-url" : 
> "http://public-repo-1.hortonworks.com/ARTIFACTS/UnlimitedJCEPolicyJDK7.zip";,
>       "jdk1.7.re" : "(jdk.*)/jre",
>       "jdk1.7.url" : 
> "http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-7u67-linux-x64.tar.gz";,
>       "jdk1.8.desc" : "Oracle JDK 1.8 + Java Cryptography Extension (JCE) 
> Policy Files 8",
>       "jdk1.8.dest-file" : "jdk-8u60-linux-x64.tar.gz",
>       "jdk1.8.home" : "/usr/jdk64/",
>       "jdk1.8.jcpol-file" : "jce_policy-8.zip",
>       "jdk1.8.jcpol-url" : 
> "http://public-repo-1.hortonworks.com/ARTIFACTS/jce_policy-8.zip";,
>       "jdk1.8.re" : "(jdk.*)/jre",
>       "jdk1.8.url" : 
> "http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-8u60-linux-x64.tar.gz";,
>       "jdk_location" : "https://<hostname>:<portnum>/resources/",
>       "kerberos.keytab.cache.dir" : "/var/lib/ambari-server/data/cache",
>       "metadata.path" : "/var/lib/ambari-server/resources/stacks",
>       "mpacks.staging.path" : "/var/lib/ambari-server/resources/mpacks",
>       "pid.dir" : "/var/run/ambari-server",
>       "recommendations.artifacts.lifetime" : "1w",
>       "recommendations.dir" : "/var/run/ambari-server/stack-recommendations",
>       "resources.dir" : "/var/lib/ambari-server/resources",
>       "rolling.upgrade.skip.packages.prefixes" : "",
>       "security.server.disabled.ciphers" : 
> "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384|TLS_DHE_RSA_WITH_AES_256_CBC_SHA256|TLS_DHE_DSS_WITH_AES_256_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_DSS_WITH_AES_256_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_DSS_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_DSS_WITH_AES_128_CBC_SHA|TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA|TLS_EMPTY_RENEGOTIATION_INFO_SCSV|TLS_DH_anon_WITH_AES_256_CBC_SHA256|TLS_ECDH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA256|TLS_ECDH_anon_WITH_AES_128_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA|TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA|SSL_DH_anon_WITH_3DES_EDE_CBC_SHA|SSL_RSA_WITH_DES_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_DH_anon_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA|TLS_RSA_WITH_NULL_SHA256|TLS_ECDHE_ECDSA_WITH_NULL_SHA|TLS_ECDHE_RSA_WITH_NULL_SHA|SSL_RSA_WITH_NULL_SHA|TLS_ECDH_ECDSA_WITH_NULL_SHA|TLS_ECDH_RSA_WITH_NULL_SHA|TLS_ECDH_anon_WITH_NULL_SHA|SSL_RSA_WITH_NULL_MD5|TLS_KRB5_WITH_3DES_EDE_CBC_SHA|TLS_KRB5_WITH_3DES_EDE_CBC_MD5|TLS_KRB5_WITH_DES_CBC_SHA|TLS_KRB5_WITH_DES_CBC_MD5|TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA|TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
>       "security.server.keys_dir" : "/var/lib/ambari-server/keys",
>       "server.connection.max.idle.millis" : "900000",
>       "server.execution.scheduler.isClustered" : "false",
>       "server.execution.scheduler.maxDbConnections" : "5",
>       "server.execution.scheduler.maxThreads" : "5",
>       "server.execution.scheduler.misfire.toleration.minutes" : "480",
>       "server.fqdn.service.url" : 
> "http://169.254.169.254/latest/meta-data/public-hostname";,
>       "server.http.session.inactive_timeout" : "1800",
>       "server.jdbc.connection-pool" : "internal",
>       "server.jdbc.database" : "postgres",
>       "server.jdbc.database_name" : "ambari",
>       "server.jdbc.postgres.schema" : "ambari",
>       "server.jdbc.user.name" : "ambari",
>       "server.jdbc.user.passwd" : "/etc/ambari-server/conf/password.dat",
>       "server.os_family" : "redhat6",
>       "server.os_type" : "redhat6",
>       "server.persistence.type" : "local",
>       "server.stages.parallel" : "true",
>       "server.task.timeout" : "1200",
>       "server.tmp.dir" : "/var/lib/ambari-server/data/tmp",
>       "server.version.file" : "/var/lib/ambari-server/resources/version",
>       "shared.resources.dir" : 
> "/usr/lib/ambari-server/lib/ambari_commons/resources",
>       "skip.service.checks" : "false",
>       "ssl.trustStore.password" : "mypassword",
>       "ssl.trustStore.path" : "/root/cacerts.jks",
>       "ssl.trustStore.type" : "jks",
>       "stackadvisor.script" : 
> "/var/lib/ambari-server/resources/scripts/stack_advisor.py",
>       "ulimit.open.files" : "10000",
>       "user.inactivity.timeout.default" : "0",
>       "user.inactivity.timeout.role.readonly.default" : "0",
>       "views.ambari.request.connect.timeout.millis" : "30000",
>       "views.ambari.request.read.timeout.millis" : "45000",
>       "views.http.strict-transport-security" : "max-age=31536000",
>       "views.http.x-frame-options" : "SAMEORIGIN",
>       "views.http.x-xss-protection" : "1; mode=block",
>       "views.request.connect.timeout.millis" : "5000",
>       "views.request.read.timeout.millis" : "10000",
>       "webapp.dir" : "/usr/lib/ambari-server/web"
>     }
>   },
>   "hostComponents" : [
>     {
>       "href" : 
> "https://<hostname>:<portnum>/api/v1/services/AMBARI/hosts/<hostname>/hostComponents/AMBARI_SERVER",
>       "RootServiceHostComponents" : {
>         "component_name" : "AMBARI_SERVER",
>         "host_name" : "<hostname>",
>         "service_name" : "AMBARI"
>       }
>     }
>   ]
> }
> The API returns the entire contents of the 
> /etc/ambari-server/conf/ambari.properties file.
> The ssl.trustStore.password should be masked.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to