[jira] [Commented] (HBASE-29761) The HBase UI's Debug Dump is not redacting sensitive information

Tue, 09 Dec 2025 09:14:20 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-29761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18043911#comment-18043911
 ] 

Kevin Geiszler commented on HBASE-29761:
----------------------------------------

Consider an hbase-site.xml file that includes the following:
{code:java}
  <property>
    <name>hbase.zookeeper.property.ssl.trustStore.password</name>
    <value>kevin-zk-pw</value>
  </property>
  <property>
    <name>ssl.client.truststore.password</name>
    <value>kevin-ssl-truststore-pw</value>
  </property>
  <property>
    <name>hbase.rpc.tls.truststore.password</name>
    <value>kevin-tls-truststore-pw</value>
  </property>
  <property>
    <name>ssl.server.keystore.password</name>
    <value>kevin-ssl-keystore-pw</value>
  </property>
  <property>
    <name>hadoop.security.sensitive-config-keys</name>
    <value>
      secret$
      password$
      hbase\.zookeeper\.property\.ssl\.trustStore\.password$
      ssl.keystore.pass$
      fs.s3a.server-side-encryption.key
      fs.s3a.*.server-side-encryption.key
      fs.s3a.encryption.algorithm
      fs.s3a.encryption.key
      fs.s3a.secret.key
      fs.s3a.*.secret.key
      fs.s3a.session.key
      fs.s3a.*.session.key
      fs.s3a.session.token
      fs.s3a.*.session.token
      fs.azure.account.key.*
      fs.azure.oauth2.*
      fs.adl.oauth2.*
      fs.gs.encryption.*
      fs.gs.proxy.*
      fs.gs.auth.*
      credential$
      oauth.*secret
      oauth.*password
      oauth.*token
      hadoop.security.sensitive-config-keys
    </value>
  </property> {code}
If the user runs HBase locally and performs a Debug Dump in the UI, then 
{{ssl.server.keystore.password}} and the {{*.keystore.password}} config values 
will each have their contents show despite 
{{hadoop.security.sensitive-config-keys}} being included in the config.

> The HBase UI's Debug Dump is not redacting sensitive information
> ----------------------------------------------------------------
>
>                 Key: HBASE-29761
>                 URL: https://issues.apache.org/jira/browse/HBASE-29761
>             Project: HBase
>          Issue Type: Bug
>          Components: UI
>            Reporter: Kevin Geiszler
>            Assignee: Kevin Geiszler
>            Priority: Critical
>
> The Debug Dump feature in the HBase UI is supposed to redact sensitive 
> configuration values such as truststore and keystore passwords, but it is not 
> doing so.  Instead, the sensitive values are shown in plain text.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to