hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13494) ReconfigurableBase can log sensitive information
Date Tue, 16 Aug 2016 00:25:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15421949#comment-15421949
] 

Andrew Wang commented on HADOOP-13494:
--------------------------------------

Thanks for the rev Sean, a few more comments:

* Normally you want to pass in the Configuration to the constructor, since making a Configuration
is pretty heavy-weight (all the parsing and deprecation logic), and it also makes unit testing
easier.
* The tricky bit I was alluding to was how when we have both {{oldConf}} and {{newConf}},
they can have different redaction patterns configured. I think the right behavior here is
to respect the redaction settings in the selfsame config. This also relates to passing in
the Configuration to the constructor.
* I think "password" might also be too broad of a pattern, since it catches okay keys like
"hadoop.security.credstore.java-keystore-provider.password-file".

> ReconfigurableBase can log sensitive information
> ------------------------------------------------
>
>                 Key: HADOOP-13494
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13494
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Sean Mackrory
>            Assignee: Sean Mackrory
>         Attachments: HADOOP-13494.001.patch, HADOOP-13494.002.patch, HADOOP-13494.003.patch
>
>
> ReconfigurableBase will log old and new configuration values, which may cause sensitive
parameters (most notably cloud storage keys, though there may be other instances) to get included
in the logs. 
> Given the currently small list of reconfigurable properties, an argument could be made
for simply not logging the property values at all, but this is not the only instance where
potentially sensitive configuration gets written somewhere else in plaintext. I think a generic
mechanism for redacting sensitive information for textual display will be useful to some of
the web UIs too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message