You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Duo Zhang (Jira)" <ji...@apache.org> on 2022/08/24 07:22:00 UTC
[jira] [Resolved] (HBASE-27320) hide some sensitive configuration information in the UI
[ https://issues.apache.org/jira/browse/HBASE-27320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Duo Zhang resolved HBASE-27320.
-------------------------------
Fix Version/s: 2.6.0
2.5.1
2.4.15
Hadoop Flags: Reviewed
Resolution: Fixed
Pushed to branch-2.4+.
Thanks [~frostruan] for contributing!
Please fill the release note to mention the behavior change.
> hide some sensitive configuration information in the UI
> -------------------------------------------------------
>
> Key: HBASE-27320
> URL: https://issues.apache.org/jira/browse/HBASE-27320
> Project: HBase
> Issue Type: Improvement
> Components: security, UI
> Affects Versions: 3.0.0-alpha-3
> Reporter: ruanhui
> Assignee: ruanhui
> Priority: Minor
> Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4, 2.4.15
>
>
> In the discussion about how to store keystore/truststore password securely, [~bbeaudreault] mentioned and I quote here
> "I agree that it seems insecure to put it directly into the hbase-site.xml. Another reason is due to the RS UI which (helpfully) can print the entire site configuration. We’d need to make sure the password is excluded from that, but better to remove it from site xml altogether".
> I also felt that some sensitive information was exposed in the UI, for example, if we set superuser in the hbase-site.xml, the non-admin users can obtain superuser information and simulate superuser to perform some non-permitted operations on the cluster. So I think maybe we should hide these sensitive information in the UI.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)