[
https://issues.apache.org/jira/browse/DRILL-6189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382078#comment-16382078
]
ASF GitHub Bot commented on DRILL-6189:
---------------------------------------
Github user vladimirtkach commented on a diff in the pull request:
https://github.com/apache/drill/pull/1139#discussion_r171579096
--- Diff:
contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java
---
@@ -17,13 +17,15 @@
*/
package org.apache.drill.exec.store.jdbc;
+import com.fasterxml.jackson.annotation.JsonFilter;
import org.apache.drill.common.logical.StoragePluginConfig;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
@JsonTypeName(JdbcStorageConfig.NAME)
+@JsonFilter("passwordFilter")
--- End diff --
To apply filter:
1) Mark the entity with you want to filter out fields from.
2) Create filter provider and register property filter with reference to
your entity
3) When creating ObjectWriter pass your filter provider
> Security: passwords logging and file permisions
> -----------------------------------------------
>
> Key: DRILL-6189
> URL: https://issues.apache.org/jira/browse/DRILL-6189
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.12.0
> Reporter: Volodymyr Tkach
> Assignee: Volodymyr Tkach
> Priority: Major
>
> *Prerequisites:*
> *1.* Log level is set to "all" in the conf/logback.xml:
> {code:xml}
> <logger name="org.apache.drill" additivity="false">
> <level value="all" />
> <appender-ref ref="FILE" />
> </logger>
> {code}
> *2.* PLAIN authentication mechanism is configured:
> {code:java}
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam",
> pam_profiles: [ "sudo", "login" ]
> }
> {code}
> *Steps:*
> *1.* Start the drillbits
> *2.* Connect by sqlline:
> {noformat}
> /opt/mapr/drill/drill-1.13.0/bin/sqlline -u "jdbc:drill:zk=node1:5181;" -n
> user1 -p 1111
> {noformat}
> *Expected result:* Logs shouldn't contain clear-text passwords
> *Actual results:* During the drillbit startup or establishing connections via
> the jdbc or odbc, the following lines appear in the drillbit.log:
> {noformat}
> properties {
> key: "password"
> value: "1111"
> }
> {noformat}
> Same thing happens with storage configuration data, everything, including
> passwords is being logged to file.
> *Another issue:*
> Currently Drill config files has the permissions 0644:
> {noformat}
> -rw-r--r--. 1 mapr mapr 1081 Nov 16 14:42 core-site-example.xml
> -rwxr-xr-x. 1 mapr mapr 1807 Dec 19 11:55 distrib-env.sh
> -rw-r--r--. 1 mapr mapr 1424 Nov 16 14:42 distrib-env.sh.prejmx
> -rw-r--r--. 1 mapr mapr 1942 Nov 16 14:42 drill-am-log.xml
> -rw-r--r--. 1 mapr mapr 1279 Dec 19 11:55 drill-distrib.conf
> -rw-r--r--. 1 mapr mapr 117 Nov 16 14:50 drill-distrib-mem-qs.conf
> -rw-r--r--. 1 mapr mapr 6016 Nov 16 14:42 drill-env.sh
> -rw-r--r--. 1 mapr mapr 1855 Nov 16 14:50 drill-on-yarn.conf
> -rw-r--r--. 1 mapr mapr 6913 Nov 16 14:42 drill-on-yarn-example.conf
> -rw-r--r--. 1 mapr mapr 1135 Dec 19 11:55 drill-override.conf
> -rw-r--r--. 1 mapr mapr 7820 Nov 16 14:42 drill-override-example.conf
> -rw-r--r--. 1 mapr mapr 3136 Nov 16 14:42 logback.xml
> -rw-r--r--. 1 mapr mapr 668 Nov 16 14:51 warden.drill-bits.conf
> -rw-r--r--. 1 mapr mapr 1581 Nov 16 14:42 yarn-client-log.xml
> {noformat}
> As they may contain some sensitive information, like passwords or secret
> keys, they cannot be viewable to everyone. So I suggest to reduce the
> permissions at least to 0640.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
