You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Peter Cseh (JIRA)" <ji...@apache.org> on 2016/09/23 12:26:20 UTC

[jira] [Commented] (OOZIE-1814) Oozie should mask any passwords in logs and REST interfaces

    [ https://issues.apache.org/jira/browse/OOZIE-1814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15516303#comment-15516303 ] 

Peter Cseh commented on OOZIE-1814:
-----------------------------------

Thank you for the patch [~andras.piros]!
Could you extract the regex {noformat}".*[((\\s)+-[D|X][\\w[.\\w]*]*(?i)pass[\\w[.\\w]*]*=)([\\w]+)]+.*"{noformat} into a constant and create a short explanation about what it does in javadoc?


> Oozie should mask any passwords in logs and REST interfaces
> -----------------------------------------------------------
>
>                 Key: OOZIE-1814
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1814
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Bowen Zhang
>            Assignee: Andras Piros
>              Labels: newbie
>             Fix For: 4.3.0
>
>         Attachments: OOZIE-1814.002.patch, oozie-1814.patch
>
>
> Following passwords are currently visible in the instrumentation log, REST endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
> * {{javax.net.ssl.trustStorePassword}}
> * {{oozie.https.keystore.pass}}
> * {{HADOOP_CREDSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_KEYSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_TRUSTSTORE_PASSWORD}}
> There are a few examples that illustrate password leakage.
> {noformat}
> # grep -i pass /var/log/oozie/oozie-instrumentation.log
>     OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
>     javax.net.ssl.trustStorePassword = password
>     oozie.https.keystore.pass = password
>     HADOOP_CREDSTORE_PASSWORD = password
>     OOZIE_HTTPS_KEYSTORE_PASSWORD = password
>     CATALINA_OPTS = -Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh -Doozie.home.dir=/usr/lib/oozie -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER -Doozie.log.dir=/var/log/oozie -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log -Doozie.instance.id=nightly-1.gce.cloudera.com -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks -Djavax.net.ssl.trustStorePassword=password
> {noformat}
> Oozie dumps the env vars and Java sys props to the instrumentation log on startup.
> {noformat}
> # curl --negotiate -u foo:bar -k https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m json.tool | grep -i pass
> "CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh -Doozie.home.dir=/usr/lib/oozie -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER -Doozie.log.dir=/var/log/oozie -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log -Doozie.instance.id=nightly-1.gce.cloudera.com -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks -Djavax.net.ssl.trustStorePassword=password ",
>     "HADOOP_CREDSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
>     "OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
> {noformat}
> {noformat}
> # curl --negotiate -u foo:bar -k https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties | python -m json.tool | grep -i pass
>     "javax.net.ssl.trustStorePassword": "password",
>     "oozie.https.keystore.pass": "password",
> {noformat}
> The REST API has two endpoints, {{admin/os-env}} and {{admin/java-sys-properties}}, which are also available in the Web UI and CLI.  These expose the env vars and Java sys props too.
> We should mask these like we do for the configuration endpoint.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)