You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2017/10/03 21:20:00 UTC

[jira] [Commented] (AMBARI-16810) Ambari Agent security bypassed in Python=>2.7.9

    [ https://issues.apache.org/jira/browse/AMBARI-16810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190370#comment-16190370 ] 

Kevin Risden commented on AMBARI-16810:
---------------------------------------

Our environment was just updated to Python 2.7.5 release 58.el7 and ran into this same issue. We changed the version check from 2.7.9 to 2.7.5 and it worked around this issue.

Name        : python
Arch        : x86_64
Version     : 2.7.5
Release     : 58.el7
Size        : 79 k
Repo        : installed
From repo   : rhel-7-server-rpms
Summary     : An interpreted, interactive, object-oriented programming language
URL         : http://www.python.org/
License     : Python
Description : Python is an interpreted, interactive, object-oriented programming
            : language often compared to Tcl, Perl, Scheme or Java. Python includes
            : modules, classes, exceptions, very high level dynamic data types and
            : dynamic typing. Python supports interfaces to many system calls and
            : libraries, as well as to various windowing systems (X11, Motif, Tk,
            : Mac and MFC).
            :
            : Programmers can write new built-in modules for Python in C or C++.
            : Python can be used as an extension language for applications that need
            : a programmable interface.
            :
            : Note that documentation for Python is provided in the python-docs
            : package.
            :
            : This package provides the "python" executable; most of the actual
            : implementation is within the "python-libs" package.


> Ambari Agent security bypassed in Python=>2.7.9
> -----------------------------------------------
>
>                 Key: AMBARI-16810
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16810
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Andrew Onischuk
>            Assignee: Andrew Onischuk
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16810.patch
>
>
> We hard-coded the Ambari Agents to ignore certification
> verification. But the reason why this was required was Python be un-secure by
> default:  
> <https://access.redhat.com/articles/2039753>  
> <https://www.python.org/dev/peps/pep-0476/>
> That method will cause signed certificates to not serve any purpose & is
> discouraged by RedHat & Python security experts:
> > "It is also possible, though highly discouraged , to globally disable
> verification by monkeypatching the ssl module in versions of Python"
> Instead we should abstract it to a setting (e.g. ssl_verify_cert) in the
> ambari-agent.ini such that users can turn certification verification if they
> provide a signed/trusted certificate.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)