You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Wei Yan (JIRA)" <ji...@apache.org> on 2015/09/02 19:27:46 UTC
[jira] [Commented] (OOZIE-2244) Oozie should mask passwords in the
logs when logging command arguments
[ https://issues.apache.org/jira/browse/OOZIE-2244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727675#comment-14727675 ]
Wei Yan commented on OOZIE-2244:
--------------------------------
Thanks for the fix, [~venkatnrangan]. We also meet similar issue, as mentioned in OOZIE-2340.
I'm thinking another approach which introduces a switch and users can decide whether print the arguments out or not. This can help like: (1) at beginning we may need to debug some code which needs the password info; (2) besides password, the users may also don't want to disclose other sensitive info. But one global switch may let us lose some debug information. No sure whether it is a good idea that we introduce per-argument config, and all default configs are "print it out". Users can mask some arguments by inputing a list of argument names.
Thought? [~rkanter], [~jaydeepvishwakarma].
> Oozie should mask passwords in the logs when logging command arguments
> ----------------------------------------------------------------------
>
> Key: OOZIE-2244
> URL: https://issues.apache.org/jira/browse/OOZIE-2244
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.1.0, 4.0.1
> Environment: All
> Reporter: Venkat Ranganathan
> Assignee: Venkat Ranganathan
> Priority: Critical
> Fix For: trunk
>
> Attachments: OOZIE-2244-no-prefix.patch
>
>
> Users have complained that oozie logging the password related argument values in the launcher log is a security hole and want it to be masked in the output. Even password aliases in keystore are considered to be a security hole.
> The fix is to mask any argument values if option name contains the string password (which is true for Sqoop). We do this in multiple places, in Sqoop main, in Launcher Mapper, in JavaMain as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)