[
https://issues.apache.org/jira/browse/HADOOP-13494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Wang updated HADOOP-13494:
---------------------------------
Fix Version/s: 3.0.0-alpha2
2.8.0
I've committed this to trunk, branch-2, branch-2.8, but beyond that there are
significant conflicts due in part to some missing ReconfigurableBase changes. I
took a look at backporting these, but it seems hard.
Sean, do you mind preparing separate patches for branch-2.7 and branch-2.6?
Thanks.
> ReconfigurableBase can log sensitive information
> ------------------------------------------------
>
> Key: HADOOP-13494
> URL: https://issues.apache.org/jira/browse/HADOOP-13494
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.0
> Reporter: Sean Mackrory
> Assignee: Sean Mackrory
> Fix For: 2.8.0, 3.0.0-alpha2
>
> Attachments: HADOOP-13494.001.patch, HADOOP-13494.002.patch,
> HADOOP-13494.003.patch, HADOOP-13494.004.patch
>
>
> ReconfigurableBase will log old and new configuration values, which may cause
> sensitive parameters (most notably cloud storage keys, though there may be
> other instances) to get included in the logs.
> Given the currently small list of reconfigurable properties, an argument
> could be made for simply not logging the property values at all, but this is
> not the only instance where potentially sensitive configuration gets written
> somewhere else in plaintext. I think a generic mechanism for redacting
> sensitive information for textual display will be useful to some of the web
> UIs too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
