You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Tarun Parimi (Jira)" <ji...@apache.org> on 2020/12/16 04:55:00 UTC

[jira] [Updated] (YARN-10007) YARN logs contain environment variables, which is a security risk

     [ https://issues.apache.org/jira/browse/YARN-10007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tarun Parimi updated YARN-10007:
--------------------------------
    Issue Type: New Feature  (was: Bug)

> YARN logs contain environment variables, which is a security risk
> -----------------------------------------------------------------
>
>                 Key: YARN-10007
>                 URL: https://issues.apache.org/jira/browse/YARN-10007
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: yarn
>            Reporter: john lilley
>            Priority: Major
>
> In most environments it is standard practice to relay "secrets" via environment variables when spawning a process, because the alternatives (command-line args or storing in a file) are insecure.  However, in a YARN application, this also appears to be insecure because the environment is logged.  While YARN has the ability to relay delegation tokens in the launch context, it is unclear how to use this facility for generalized "secrets" that may not conform to security-token structure.  
> For example, the RPDM_KEYSTORE_PASSWORDS env var is found in the aggregated YARN logs:
> {{Container: container_e06_1574362398372_0023_01_000001 on node6.xxxxxxxx.com_45454}}
> {{LogAggregationType: AGGREGATED}}
> {{============================================================================================}}
> {{LogType:launch_container.sh}}
> {{LogLastModifiedTime:Sat Nov 23 14:58:12 -0700 2019}}
> {{LogLength:4043}}
> {{LogContents:}}
> {{#!/bin/bash}}{{set -o pipefail -e}}
> {{[...]export HADOOP_YARN_HOME=${HADOOP_YARN_HOME:-"/usr/hdp/2.6.5.1175-1/hadoop-yarn"}}}
> {{export RPDM_KEYSTORE_PASSWORDS="eyJnZW5lcmFsIjoiZmtQZllubmVLRVo4c1Z0V0REQ3gxaHJzRnVjdVN5b1NBTE9OUTF1dEZpZ1x1MDAzZCJ9"}}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org