You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (Jira)" <ji...@apache.org> on 2019/12/11 10:30:00 UTC

[jira] [Updated] (AIRFLOW-4176) [security] webui shows password - admin/log/?flt1_extra_contains=conn_password

     [ https://issues.apache.org/jira/browse/AIRFLOW-4176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ash Berlin-Taylor updated AIRFLOW-4176:
---------------------------------------
    Description: 
First setup hivecli connection:

{{source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}}}

 

On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password

and you will be able to see cleartext user and password!

see attachment

  was:
First setup hivecli connection:

{noformat}
source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "\{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}
{noformat}

 

On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password

and you will be able to see cleartext user and password!

see attachment


> [security] webui shows password - admin/log/?flt1_extra_contains=conn_password
> ------------------------------------------------------------------------------
>
>                 Key: AIRFLOW-4176
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4176
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>    Affects Versions: 1.10.2
>            Reporter: t oo
>            Priority: Blocker
>             Fix For: 2.0.0
>
>         Attachments: airf.png
>
>
> First setup hivecli connection:
> {{source /home/ec2-user/venv/bin/activate; airflow connections -a --conn_id query_hive --conn_type hive_cli --conn_host domainhere --conn_port 10000 --conn_schema default --conn_extra "{\"use_beeline\":\"true\", \"ssl-options\":\"ssl=true;sslTrustStore=path-${RUNTIME_ENV}.jks;trustStorePassword=${QUERY_JKS_PASW}\"}" --conn_login ${QUERY_HIVE_USER} --conn_password ${QUERY_HIVE_PASW}}}
>  
> On the webui navigate to domain/admin/log/?flt1_extra_contains=conn_password
> and you will be able to see cleartext user and password!
> see attachment



--
This message was sent by Atlassian Jira
(v8.3.4#803005)