You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Supreeth Sharma (JIRA)" <ji...@apache.org> on 2018/03/13 08:31:00 UTC

[jira] [Created] (ZEPPELIN-3323) SSL Passwords are stored in plaintext and world readable in zeppelin-site.xml

Supreeth Sharma created ZEPPELIN-3323:
-----------------------------------------

             Summary: SSL Passwords are stored in plaintext and world readable in zeppelin-site.xml
                 Key: ZEPPELIN-3323
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3323
             Project: Zeppelin
          Issue Type: Bug
          Components: zeppelin-server
    Affects Versions: 0.7.3
            Reporter: Supreeth Sharma


'zeppelin.ssl.key.manager.password', 'zeppelin.ssl.keystore.password', 'zeppelin.ssl.truststore.password' are stored as plaintext in zeppelin-site.xml and by default every body has read permission on this file.

{code}
[root@ctr-e138-1518143905142-88013-01-000003 ~]# ls -ltr /etc/zeppelin/conf/zeppelin-site.xml
-rw-r--r-- 1 zeppelin zeppelin 4090 Mar 11 16:30 /etc/zeppelin/conf/zeppelin-site.xml
{code}

Either we should encrypt these passwords or atleast have appropriate file permissions to restrict every one from reading the password.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)