You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@accumulo.apache.org by "Billie Rinaldi (JIRA)" <ji...@apache.org> on 2012/05/10 16:47:48 UTC
[jira] [Reopened] (ACCUMULO-489) Input Format puts Base64 encoded
passwords in Configuration, which is world readable
[ https://issues.apache.org/jira/browse/ACCUMULO-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Billie Rinaldi reopened ACCUMULO-489:
-------------------------------------
The same is true for OutputFormat, we should fix that too.
> Input Format puts Base64 encoded passwords in Configuration, which is world readable
> ------------------------------------------------------------------------------------
>
> Key: ACCUMULO-489
> URL: https://issues.apache.org/jira/browse/ACCUMULO-489
> Project: Accumulo
> Issue Type: Improvement
> Components: client
> Affects Versions: 1.4.0, 1.3.5
> Reporter: John Vines
> Assignee: John Vines
> Labels: security
> Fix For: 1.5.0, 1.4.1
>
>
> This has been a known issue, but I think it's about time we address it. Whena user sets up a mapreduce, they set their password in the configuration (Base64 encoded). This configuration is world readable, meaning passwords are out there in cleartext. We need a mechanism in place to try to keep this data private.
> In hadoop 0.20.203, the private distributed cache was implemented. Any file placed in the distributed cache which is not world readable/not in folders world executable automatically get placed in the private distributed cache. The protection mechanism is simply being in the tasktracker's local directory under a folder for the user with restricted permissions. This should be adequate for protecting a users Accumulo password. So this should be as simple as checking the set/getPassword functions to utilize this space rather than the configuration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira