You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2017/05/02 14:52:24 UTC
ambari git commit: AMBARI-20874. Mask passwords in Request resource
responses (rlevas)
Repository: ambari
Updated Branches:
refs/heads/trunk 13a981c1a -> 34761fcdc
AMBARI-20874. Mask passwords in Request resource responses (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34761fcd
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34761fcd
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34761fcd
Branch: refs/heads/trunk
Commit: 34761fcdcec142d1d6e1dcf76febb9ce526ae927
Parents: 13a981c
Author: Robert Levas <rl...@hortonworks.com>
Authored: Tue May 2 10:52:18 2017 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Tue May 2 10:52:18 2017 -0400
----------------------------------------------------------------------
.../internal/RequestResourceProvider.java | 12 ++++++-
.../internal/RequestResourceProviderTest.java | 35 ++++++++++++++++++++
2 files changed, 46 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/34761fcd/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
index 57e7024..c405995 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java
@@ -69,6 +69,7 @@ import org.apache.ambari.server.state.Cluster;
import org.apache.ambari.server.state.Clusters;
import org.apache.ambari.server.topology.LogicalRequest;
import org.apache.ambari.server.topology.TopologyManager;
+import org.apache.ambari.server.utils.SecretReference;
import org.apache.commons.lang.StringUtils;
import com.google.common.collect.Sets;
@@ -741,7 +742,16 @@ public class RequestResourceProvider extends AbstractControllerResourceProvider
setResourceProperty(resource, REQUEST_ID_PROPERTY_ID, entity.getRequestId(), requestedPropertyIds);
setResourceProperty(resource, REQUEST_CONTEXT_ID, entity.getRequestContext(), requestedPropertyIds);
setResourceProperty(resource, REQUEST_TYPE_ID, entity.getRequestType(), requestedPropertyIds);
- setResourceProperty(resource, REQUEST_INPUTS_ID, entity.getInputs(), requestedPropertyIds);
+
+ // Mask any sensitive data fields in the inputs data structure
+ if (isPropertyRequested(REQUEST_INPUTS_ID, requestedPropertyIds)) {
+ String value = entity.getInputs();
+ if (!StringUtils.isBlank(value)) {
+ value = SecretReference.maskPasswordInPropertyMap(value);
+ }
+ resource.setProperty(REQUEST_INPUTS_ID, value);
+ }
+
setResourceProperty(resource, REQUEST_RESOURCE_FILTER_ID,
org.apache.ambari.server.actionmanager.Request.filtersFromEntity(entity),
requestedPropertyIds);
http://git-wip-us.apache.org/repos/asf/ambari/blob/34761fcd/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
index feedc74..6bc856d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/RequestResourceProviderTest.java
@@ -83,6 +83,7 @@ import org.apache.ambari.server.topology.HostGroupInfo;
import org.apache.ambari.server.topology.LogicalRequest;
import org.apache.ambari.server.topology.TopologyManager;
import org.apache.ambari.server.topology.TopologyRequest;
+import org.apache.ambari.server.utils.SecretReference;
import org.easymock.Capture;
import org.easymock.EasyMock;
import org.junit.After;
@@ -98,6 +99,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
/**
* RequestResourceProvider tests.
@@ -142,6 +145,10 @@ public class RequestResourceProviderTest {
field.setAccessible(true);
field.set(null, topologyManager);
+ field = SecretReference.class.getDeclaredField("gson");
+ field.setAccessible(true);
+ field.set(null, new Gson());
+
AuthorizationHelperInitializer.viewInstanceDAOReturningNull();
}
@@ -258,12 +265,38 @@ public class RequestResourceProviderTest {
public void testGetResources() throws Exception {
Resource.Type type = Resource.Type.Request;
+ String storedInputs = "{" +
+ " \"hosts\": \"host1\"," +
+ " \"check_execute_list\": \"last_agent_env_check,installed_packages,existing_repos,transparentHugePage\"," +
+ " \"jdk_location\": \"http://ambari_server.home:8080/resources/\"," +
+ " \"threshold\": \"20\"," +
+ " \"password\": \"for your eyes only\"," +
+ " \"foo_password\": \"for your eyes only\"," +
+ " \"passwd\": \"for your eyes only\"," +
+ " \"foo_passwd\": \"for your eyes only\"" +
+ " }";
+ String cleanedInputs = SecretReference.maskPasswordInPropertyMap(storedInputs);
+
+ // Make sure SecretReference.maskPasswordInPropertyMap properly masked the password fields in cleanedInputs...
+ Gson gson = new Gson();
+ Map<String, String> map = gson.fromJson(cleanedInputs, new TypeToken<Map<String, String>>() {}.getType());
+ for (Map.Entry<String, String> entry : map.entrySet()) {
+ String name = entry.getKey();
+ if (name.contains("password") || name.contains("passwd")) {
+ Assert.assertEquals("SECRET", entry.getValue());
+ }
+ else {
+ Assert.assertFalse("SECRET".equals(entry.getValue()));
+ }
+ }
+
AmbariManagementController managementController = createMock(AmbariManagementController.class);
ActionManager actionManager = createNiceMock(ActionManager.class);
RequestEntity requestMock = createNiceMock(RequestEntity.class);
expect(requestMock.getRequestContext()).andReturn("this is a context").anyTimes();
expect(requestMock.getRequestId()).andReturn(100L).anyTimes();
+ expect(requestMock.getInputs()).andReturn(storedInputs).anyTimes();
Capture<Collection<Long>> requestIdsCapture = newCapture();
@@ -287,6 +320,7 @@ public class RequestResourceProviderTest {
propertyIds.add(RequestResourceProvider.REQUEST_ID_PROPERTY_ID);
propertyIds.add(RequestResourceProvider.REQUEST_STATUS_PROPERTY_ID);
+ propertyIds.add(RequestResourceProvider.REQUEST_INPUTS_ID);
Predicate predicate = new PredicateBuilder().property(RequestResourceProvider.REQUEST_ID_PROPERTY_ID).equals("100").
toPredicate();
@@ -297,6 +331,7 @@ public class RequestResourceProviderTest {
for (Resource resource : resources) {
Assert.assertEquals(100L, (long) (Long) resource.getPropertyValue(RequestResourceProvider.REQUEST_ID_PROPERTY_ID));
Assert.assertEquals("IN_PROGRESS", resource.getPropertyValue(RequestResourceProvider.REQUEST_STATUS_PROPERTY_ID));
+ Assert.assertEquals(cleanedInputs, resource.getPropertyValue(RequestResourceProvider.REQUEST_INPUTS_ID));
}
// verify