hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13494) ReconfigurableBase can log sensitive information
Date Mon, 15 Aug 2016 20:46:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15421644#comment-15421644

Andrew Wang commented on HADOOP-13494:

Thanks for working on this Sean, this is a pretty concerning bug, fix looks good overall.
A few review comments:

* Class javadoc's first sentence should end with a period. Also needs a "<p>" tag if
you want to linebreak the paragraph.
* How do you feel about making the list of regexes themselves configurable? Users can put
whatever keys they want into their Configuration (which might also be sensitive), so ideally
redaction also handles this case. It makes the logic in ReconfigurableBase a little more complicated
though, since we'll need per-Configuration redactors.

I also did a quick grep for "password" in DFSConfigKeys and turned up a few, we should consider
redacting those as well.

> ReconfigurableBase can log sensitive information
> ------------------------------------------------
>                 Key: HADOOP-13494
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13494
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Sean Mackrory
>            Assignee: Sean Mackrory
>         Attachments: HADOOP-13494.001.patch, HADOOP-13494.002.patch
> ReconfigurableBase will log old and new configuration values, which may cause sensitive
parameters (most notably cloud storage keys, though there may be other instances) to get included
in the logs. 
> Given the currently small list of reconfigurable properties, an argument could be made
for simply not logging the property values at all, but this is not the only instance where
potentially sensitive configuration gets written somewhere else in plaintext. I think a generic
mechanism for redacting sensitive information for textual display will be useful to some of
the web UIs too.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message