You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2018/01/08 15:22:00 UTC

[jira] [Created] (MESOS-8413) Zookeeper configuration passwords are shown in clear text

Alexander Rojas created MESOS-8413:
--------------------------------------

             Summary: Zookeeper configuration passwords are shown in clear text
                 Key: MESOS-8413
                 URL: https://issues.apache.org/jira/browse/MESOS-8413
             Project: Mesos
          Issue Type: Bug
          Components: master
    Affects Versions: 1.4.1
            Reporter: Alexander Rojas


No matter how one configures mesos, either by passing the ZooKeeper flags in the command line or using a file, as follows:

{noformat}
./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log --zk=zk://${zk_username}:${zk_password}@${zk_addr}/mesos --quorum=1
{noformat}

{noformat}
echo "zk://${zk_username}:${zk_password}@${zk_addr}/mesos" > /tmp/${USER}/mesos/zk_config.txt
./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log --zk=/tmp/${USER}/mesos/zk_config.txt
{noformat}

both the logs and the results of the {{/flags}} endpoint will resolve to the contents of the flags, i.e.:

{noformat}
I0108 10:12:50.387522 28579 master.cpp:458] Flags at startup: --agent_ping_timeout="15secs" --agent_reregister_timeout="10mins" --allocation_interval="1secs" --allocator="HierarchicalDRF" --authenticate_agents="false" --authenticate_frameworks="false" --authenticate_http_frameworks="false" --authenticate_http_readonly="false" --authenticate_http_readwrite="false" --authenticators="crammd5" --authorizers="local" --filter_gpu_resources="true" --framework_sorter="drf" --help="false" --hostname_lookup="true" --http_authenticators="basic" --initialize_driver_logging="true" --log_auto_initialize="true" --log_dir="/tmp/user/mesos/master/log" --logbufsecs="0" --logging_level="INFO" --max_agent_ping_timeouts="5" --max_completed_frameworks="50" --max_completed_tasks_per_framework="1000" --max_unreachable_tasks_per_framework="1000" --port="5050" --quiet="false" --quorum="1" --recovery_agent_removal_limit="100%" --registry="replicated_log" --registry_fetch_timeout="1mins" --registry_gc_interval="15mins" --registry_max_agent_age="2weeks" --registry_max_agent_count="102400" --registry_store_timeout="20secs" --registry_strict="false" --require_agent_domain="false" --root_submissions="true" --user_sorter="drf" --version="false" --webui_dir="/home/user/mesos/build/../src/webui" --work_dir="/tmp/user/mesos/master" --zk="zk://user@passwd:127.0.0.1:2181/mesos" --zk_session_timeout="10secs"
{noformat}

{noformat}
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 591
Content-Type: application/json
Date: Mon, 08 Jan 2018 15:12:53 GMT

{
    "flags": {
        "agent_ping_timeout": "15secs",
        "agent_reregister_timeout": "10mins",
        "allocation_interval": "1secs",
        "allocator": "HierarchicalDRF",
        "authenticate_agents": "false",
        "authenticate_frameworks": "false",
        "authenticate_http_frameworks": "false",
        "authenticate_http_readonly": "false",
        "authenticate_http_readwrite": "false",
        "authenticators": "crammd5",
        "authorizers": "local",
        "filter_gpu_resources": "true",
        "framework_sorter": "drf",
        "help": "false",
        "hostname_lookup": "true",
        "http_authenticators": "basic",
        "initialize_driver_logging": "true",
        "log_auto_initialize": "true",
        "log_dir": "/tmp/user/mesos/master/log",
        "logbufsecs": "0",
        "logging_level": "INFO",
        "max_agent_ping_timeouts": "5",
        "max_completed_frameworks": "50",
        "max_completed_tasks_per_framework": "1000",
        "max_unreachable_tasks_per_framework": "1000",
        "port": "5050",
        "quiet": "false",
        "quorum": "1",
        "recovery_agent_removal_limit": "100%",
        "registry": "replicated_log",
        "registry_fetch_timeout": "1mins",
        "registry_gc_interval": "15mins",
        "registry_max_agent_age": "2weeks",
        "registry_max_agent_count": "102400",
        "registry_store_timeout": "20secs",
        "registry_strict": "false",
        "require_agent_domain": "false",
        "root_submissions": "true",
        "user_sorter": "drf",
        "version": "false",
        "webui_dir": "/home/user/mesos/build/../src/webui",
        "work_dir": "/tmp/user/mesos/master",
        "zk": "zk://user@passwd:127.0.0.1:2181/mesos",
        "zk_session_timeout": "10secs"
    }
}
{noformat}

Which leads to having no effective way to prevent the passwords to be shown if someone can get the hands in either of the previous methods.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)