You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2017/03/03 02:30:46 UTC
[jira] [Commented] (OOZIE-2779) Mask Hive2 action Beeline JDBC
password
[ https://issues.apache.org/jira/browse/OOZIE-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15893602#comment-15893602 ]
Robert Kanter commented on OOZIE-2779:
--------------------------------------
I don't have a good counterexample off the top of my head, but what if {{"-p"}} is a non-password valid argument for some other component? Or becomes one in the future? For instance, it could stand for "parallel" or something. So I don't think we should block all {{"-p"}} args across all Action types. How about we make {{printArgs}} take additional arguments for additional things to mask?
{code:java}
public static void printArgs(String banner, String[] args, String... custom) {
...
for (String c : custom) {
if (arg.toLowerCase.contains(c)) {
maskNextArg = true;
}
}
...
{code}
Then in {{Hive2Action}}, we'd call:
{code:java}
LauncherMapper.printArgs("Beeline command arguments :", arguments.toArray(new String[arguments.size()], "-p"));
{code}
And other Action types can add other arguments as necessary.
> Mask Hive2 action Beeline JDBC password
> ---------------------------------------
>
> Key: OOZIE-2779
> URL: https://issues.apache.org/jira/browse/OOZIE-2779
> Project: Oozie
> Issue Type: Bug
> Components: action
> Reporter: Abhishek Bafna
> Assignee: Abhishek Bafna
> Labels: security
> Fix For: 5.0.0
>
> Attachments: OOZIE-2779-00.patch
>
>
> Hive2 Oozie launcher job prints the JDBC password into launcher stdout logs.
> {noformat}
> Beeline command arguments :
> -u
> jdbc:hive2://source-1:10000/default
> -n
> ambari-qa
> -p
> DUMMY
> -d
> org.apache.hive.jdbc.HiveDriver
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)