[
https://issues.apache.org/jira/browse/AMBARI-26555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
YUBI LEE updated AMBARI-26555:
------------------------------
Description:
There is a mechanism that hides passwords for configurations with the
"PASSWORD" property type.
However, the {{StackInfo#getConfigPropertiesType()}} method only handles
configurations that belong to a specific service, not those defined at the
stack root.
For example, if you add some "PASSWORD"-type configurations to
{{cluster-env.xml}}, they will be exposed through the HTTP API.
was:
There is a mechanism that hides password for configurations with "PASSWORD"
property type.
However, StackInfo#getConfigPropertiesType() method only handles configurations
which belongs to specific service, not configurations on stack root.
For example, if you add some PASSWORD type configurations on cluster-env.xml,
it will be leaked on http api.
> Password leaked for configurations at stack root (e.g. cluster-env.xml)
> -----------------------------------------------------------------------
>
> Key: AMBARI-26555
> URL: https://issues.apache.org/jira/browse/AMBARI-26555
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 3.0.0, 2.7.9
> Reporter: YUBI LEE
> Assignee: YUBI LEE
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> There is a mechanism that hides passwords for configurations with the
> "PASSWORD" property type.
> However, the {{StackInfo#getConfigPropertiesType()}} method only handles
> configurations that belong to a specific service, not those defined at the
> stack root.
> For example, if you add some "PASSWORD"-type configurations to
> {{cluster-env.xml}}, they will be exposed through the HTTP API.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
