You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (Jira)" <ji...@apache.org> on 2019/12/11 10:30:00 UTC
[jira] [Updated] (AIRFLOW-4176) [security] webui shows password -
admin/log/?flt1_extra_contains=conn_password
[ https://issues.apache.org/jira/browse/AIRFLOW-4176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ash Berlin-Taylor updated AIRFLOW-4176:
---------------------------------------
Description:
First setup hivecli connection:
{{source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}}}
On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password
and you will be able to see cleartext user and password!
see attachment
was:
First setup hivecli connection:
{noformat}
source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "\{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}
{noformat}
On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password
and you will be able to see cleartext user and password!
see attachment
> [security] webui shows password - admin/log/?flt1_extra_contains=conn_password
> ------------------------------------------------------------------------------
>
> Key: AIRFLOW-4176
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4176
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Affects Versions: 1.10.2
> Reporter: t oo
> Priority: Blocker
> Fix For: 2.0.0
>
> Attachments: airf.png
>
>
> First setup hivecli connection:
> {{source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}}}
>
> On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password
> and you will be able to see cleartext user and password!
> see attachment
--
This message was sent by Atlassian Jira
(v8.3.4#803005)