hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Mackrory (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13494) ReconfigurableBase can log sensitive information
Date Tue, 16 Aug 2016 01:26:20 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sean Mackrory updated HADOOP-13494:
-----------------------------------
    Attachment: HADOOP-13494.004.patch

Aahh I understand now. Passing in the configuration object now, and anchoring password to
the end of the key - should be a much safer heuristic. Also in this patch, separate redactors
for the old and new config. I originally thought it safer to go with the new config only,
because none of the sensitive properties are currently reconfigurable. I don't really see
it being a common case where you change your mind to stop redacting certain configs. If you
add a property to redact, the old value still gets logged. I see your argument too though,
so no strong opinions here. Thoughts?

> ReconfigurableBase can log sensitive information
> ------------------------------------------------
>
>                 Key: HADOOP-13494
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13494
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Sean Mackrory
>            Assignee: Sean Mackrory
>         Attachments: HADOOP-13494.001.patch, HADOOP-13494.002.patch, HADOOP-13494.003.patch,
HADOOP-13494.004.patch
>
>
> ReconfigurableBase will log old and new configuration values, which may cause sensitive
parameters (most notably cloud storage keys, though there may be other instances) to get included
in the logs. 
> Given the currently small list of reconfigurable properties, an argument could be made
for simply not logging the property values at all, but this is not the only instance where
potentially sensitive configuration gets written somewhere else in plaintext. I think a generic
mechanism for redacting sensitive information for textual display will be useful to some of
the web UIs too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message