kgeisz opened a new pull request, #7545: URL: https://github.com/apache/hbase/pull/7545
https://issues.apache.org/jira/browse/HBASE-29761 This pull request fixes an issue where the HBase UI's Debug Dump feature was still showing sensitive config information, such as passwords. Consider an `hbase-site-xml` file with the following contents: ``` <property> <name>hbase.zookeeper.property.ssl.trustStore.password</name> <value>kevin-zk-pw</value> </property> <property> <name>ssl.client.truststore.password</name> <value>kevin-ssl-truststore-pw</value> </property> <property> <name>hbase.rpc.tls.truststore.password</name> <value>kevin-tls-truststore-pw</value> </property> <property> <name>ssl.server.keystore.password</name> <value>kevin-ssl-keystore-pw</value> </property> <property> <name>hadoop.security.sensitive-config-keys</name> <value> secret$ password$ hbase\.zookeeper\.property\.ssl\.trustStore\.password$ ssl.keystore.pass$ fs.s3a.server-side-encryption.key fs.s3a.*.server-side-encryption.key fs.s3a.encryption.algorithm fs.s3a.encryption.key fs.s3a.secret.key fs.s3a.*.secret.key fs.s3a.session.key fs.s3a.*.session.key fs.s3a.session.token fs.s3a.*.session.token fs.azure.account.key.* fs.azure.oauth2.* fs.adl.oauth2.* fs.gs.encryption.* fs.gs.proxy.* fs.gs.auth.* credential$ oauth.*secret oauth.*password oauth.*token hadoop.security.sensitive-config-keys </value> </property> ``` Here, `hadoop.security.sensitive-config-keys` specifies various regexes for what config property names should have their values redacted. However, before this change, properties such as the ones listed abode (`hbase.zookeeper.property.ssl.trustStore.password`, etc.) would still have their sensitive contents present in plain text on the HBase UI's Debug Dump. With this change, these sensitive values are now redacted and replaced with `******`. The issue was occurring because the wrong `Configuration.writeXml()` method was being called in `MasterDumpServlet` and `RSDumpServlet`. Before, the method being used resulted in a call chain of `Configuration.writeXml()` methods that eventually led to `ConfigRedactor` being `null`. This change directly calls the `writeXml()` that was at the end of the call chain, which allows the `ConfigRedactor` to be established. In addition, the unit tests created in this PR reused methods found in `TestMasterStatusPage.java` and `TestRSStatusPage.java`. These common methods have been moved to a new `TestServerHttpUtils.java` to prevent repeated code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
