You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Yu Gao (JIRA)" <ji...@apache.org> on 2015/08/04 19:52:04 UTC
[jira] [Commented] (AMBARI-12634) Clear passwords can be seen on
Ambari UI service Configs tab via browser developer tool
[ https://issues.apache.org/jira/browse/AMBARI-12634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654039#comment-14654039 ]
Yu Gao commented on AMBARI-12634:
---------------------------------
One solution for this issue is to dynamically mask password properties on server side before sending it over to its UI/REST client.
- For get requests that read service configurations - ambari server should mask properties of PASSWORD type to stars (like *******)
- For put/post requests that modify service configurations - ambari server replaces the received stars value for properties of PASSWORD type with the original value saved in DB (with current implementation in ambari, simply removing those masked properties will delete them from DB as well);
If a PASSWORD property is the one requested to be changed, ambari will accept the new values as normal. To protect the newly changed passwords in transit, ssl is one way which is already supported by ambari.
> Clear passwords can be seen on Ambari UI service Configs tab via browser developer tool
> ---------------------------------------------------------------------------------------
>
> Key: AMBARI-12634
> URL: https://issues.apache.org/jira/browse/AMBARI-12634
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Yu Gao
> Labels: security
>
> HTML password type hides passwords with **** on the service Configs page. However, everyone including non-admin users who has ambari access with READ-ONLY permission can see the real content of the passwords through developer tools, like firebug in firefox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)