Skip to content

AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration via the API (just like we do it for service configs) #2763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
smolnar82 merged 2 commits into from
Jan 14, 2019
Merged

AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration via the API (just like we do it for service configs) #2763

smolnar82 merged 2 commits into from
Jan 14, 2019

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Jan 14, 2019

What changes were proposed in this pull request?

Like I indicated in #2742 the API returned the encrypted form instead of a secret reference (this is what we do for service configs). From now on we are in synch with service configurations.

How was this patch tested?

Running JUnit tests in ambari-server:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 28:27 min
[INFO] Finished at: 2019-01-14T12:52:47+01:00
[INFO] Final Memory: 163M/1047M
[INFO] ------------------------------------------------------------------------

Additionally I executed some E2E tests and found that passwords are masked by SECRET:

screen shot 2019-01-14 at 12 13 17 pm

@smolnar82
AMBARI-25043. Make sure we mask password proerties when fetching sens…
6e12cd7 
…itive ambari configuration thru the API (just like we do it for service configs)
@smolnar82 smolnar82 self-assigned this Jan 14, 2019
@smolnar82 smolnar82 requested review from a user, rlevas and zeroflag January 14, 2019 12:06
@asfgit
Copy link

asfgit commented Jan 14, 2019

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/4825/
Test PASSed.

@zeroflag
Copy link
Contributor

zeroflag commented Jan 14, 2019

there are some typos in the PR title

ghost
ghost approved these changes Jan 14, 2019
View reviewed changes
ambari-server/src/main/java/org/apache/ambari/server/utils/SecretReference.java Outdated
}
final Map<String, String> maskedMap = new HashMap<>();
for (Map.Entry<String, String> property : propertyMap.entrySet()) {
String value = property.getKey().toLowerCase().contains(PASSWORD_TEXT) || property.getKey().toLowerCase().contains(PASSWD_TEXT) ? secretPrefix
Copy link

@ghost ghost Jan 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may move property.getKey().toLowerCase() to separate variable to restrict the overall string length

Copy link
Contributor Author

@smolnar82 smolnar82 Jan 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a new private method is added

@smolnar82
AMBARI-25043. Extract out private function to decide if the given pro…
207a265 
…perty is password or not (therefore it should be masked)
@smolnar82 smolnar82 changed the title AMBARI-25043. Make sure we mask password proerties when fetching sensitive Ambari configuration thru the API (just like we do it for service configs) AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration thru the API (just like we do it for service configs) Jan 14, 2019
@smolnar82 smolnar82 changed the title AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration thru the API (just like we do it for service configs) AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration through the API (just like we do it for service configs) Jan 14, 2019
@smolnar82 smolnar82 changed the title AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration through the API (just like we do it for service configs) AMBARI-25043. Make sure we mask password properties when fetching sensitive Ambari configuration via the API (just like we do it for service configs) Jan 14, 2019
@smolnar82
Copy link
Contributor Author

smolnar82 commented Jan 14, 2019

there are some typos in the PR title

fixed; thanks

@asfgit
Copy link

asfgit commented Jan 14, 2019

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/4826/
Test PASSed.

@smolnar82 smolnar82 merged commit a6aefd1 into apache:trunk Jan 14, 2019
@smolnar82 smolnar82 deleted the AMBARI-25043 branch January 14, 2019 16:08
vishalsuvagia pushed a commit to vishalsuvagia/ambari that referenced this pull request Feb 26, 2019
@smolnar82
AMBARI-25043. Make sure we mask password properties when fetching sen…
62fa866 
…sitive Ambari configuration via the API (just like we do it for service configs) (apache#2763)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rlevas rlevas Awaiting requested review from rlevas

2 more reviewers

@zeroflag zeroflag zeroflag approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@smolnar82 smolnar82

Labels

encryption security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smolnar82 @asfgit @zeroflag