Skip to content

HDFS-16563. Namenode WebUI prints sensitive information on Token expiry#4241

Merged
steveloughran merged 1 commit intoapache:trunkfrom
prasad-acit:HDFS-16563
Jun 3, 2022
Merged

HDFS-16563. Namenode WebUI prints sensitive information on Token expiry#4241
steveloughran merged 1 commit intoapache:trunkfrom
prasad-acit:HDFS-16563

Conversation

@prasad-acit
Copy link
Contributor

@prasad-acit prasad-acit commented Apr 27, 2022

Description of PR

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@prasad-acit
Copy link
Contributor Author

prasad-acit commented Apr 27, 2022

@hemanthboyina @Hexiaoqiao Can you please review the PR when you get time?

@hemanthboyina
Copy link
Contributor

hemanthboyina commented Apr 28, 2022

thank you @prasad-acit for the PR, looks the test case failures are related, can you have a look once

@Hexiaoqiao
Copy link
Contributor

Hexiaoqiao commented Apr 28, 2022

@prasad-acit Thanks for involving me here. IMO, the key and sensitive information is DelegationKey/Password for DelegationToken, the output message here does not include this information right? So I don't think it it security issue. Do you mind to more information about this output or stack demo? Thanks.

@steveloughran
Copy link
Contributor

steveloughran commented Apr 28, 2022

looks like there are some big assumptions about the nested stack trace coming back. so please restore that change and see what happens

if the issue is that toString leaks a secret, it should be fixed at that level, as it is likely to end up in logs. we don't want any output to expose secrets.

@prasad-acit
Copy link
Contributor Author

prasad-acit commented Apr 28, 2022
edited
Loading

Thanks @hemanthboyina @Hexiaoqiao @steveloughran for the quick review & feedback.

the key and sensitive information is DelegationKey/Password for DelegationToken, the output message here does not include this information right?

Yes, there is no password printed in it. But as per our internal security guidelines displaying the complete Token info is also prohibited. So, suppressed the token from being displayed in the browser.

if the issue is that toString leaks a secret, it should be fixed at that level, as it is likely to end up in logs. we don't want any output to expose secrets.

Logging exception or full stack has no issue in this case. We are trying to avoid the token in the browser and keep the message abstract to the end-user. Here additional information is not necessary which can be avoided in the browser.

Failed tests corrected, please review the changes.

jojochuang
jojochuang reviewed Apr 28, 2022
View reviewed changes
Copy link
Contributor

@jojochuang jojochuang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was quite useful to find the root cause of a few token renewal bugs (KMS, YARN.. etc) back in the days. If it doesn't actually expose token secrets, would it make sense to at least log the token id at debug level?

@prasad-acit
Copy link
Contributor Author

prasad-acit commented Apr 29, 2022

Thanks @jojochuang I have added logs with Token Info.
I will consider other error / improvement scenario and analyze further.

@prasad-acit
Copy link
Contributor Author

prasad-acit commented Apr 29, 2022

Javadoc issues are not related.
Checkstyle issue addressed & pushed.

@hadoop-yetus
Copy link

hadoop-yetus commented Apr 29, 2022

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 7s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 2s codespell was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 40m 11s trunk passed
+1 💚 compile 25m 6s trunk passed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04
+1 💚 compile 21m 46s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 1m 30s trunk passed
+1 💚 mvnsite 2m 1s trunk passed
-1 ❌ javadoc 1m 37s /branch-javadoc-hadoop-common-project_hadoop-common-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt hadoop-common in trunk failed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.
+1 💚 javadoc 2m 5s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 6s trunk passed
+1 💚 shadedclient 25m 58s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 7s the patch passed
+1 💚 compile 30m 4s the patch passed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04
+1 💚 javac 30m 4s the patch passed
+1 💚 compile 23m 12s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 javac 23m 12s the patch passed
+1 💚 blanks 0m 1s The patch has no blanks issues.
+1 💚 checkstyle 1m 25s the patch passed
+1 💚 mvnsite 2m 0s the patch passed
-1 ❌ javadoc 1m 27s /patch-javadoc-hadoop-common-project_hadoop-common-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt hadoop-common in the patch failed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.
+1 💚 javadoc 2m 4s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 3s the patch passed
+1 💚 shadedclient 25m 37s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 18m 11s hadoop-common in the patch passed.
+1 💚 asflicense 1m 17s The patch does not generate ASF License warnings.
234m 26s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/4/artifact/out/Dockerfile
GITHUB PR #4241
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell
uname Linux 2b45026f7a30 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 7579eafa0498b6a7fa49e10751c92ab4b7c42616
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/4/testReport/
Max. process+thread count 2469 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/4/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

@apache apache deleted a comment from hadoop-yetus May 11, 2022
@apache apache deleted a comment from hadoop-yetus May 11, 2022
@steveloughran
Copy link
Contributor

steveloughran commented May 11, 2022

LGTM; will leave final vote to @jojochuang

@prasad-acit
Copy link
Contributor Author

prasad-acit commented May 24, 2022

Thanks @steveloughran for the review.
@jojochuang can you please review the latest?

@apache apache deleted a comment from hadoop-yetus May 30, 2022
steveloughran
steveloughran requested changes May 30, 2022
View reviewed changes
Copy link
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with this; it's logging at info.

one minor change, just switching to the slf4j {} expansion strings. we should do this for all new log entries, -a lot of the existing stuff is a migration from the restricted commong logging api

...n/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java Outdated
Copy link
Contributor

@steveloughran steveloughran May 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you use

LOG.info("{}, Token={}", err,  formatTokenId(identifier));

...n/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java Outdated
Copy link
Contributor

@steveloughran steveloughran May 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you use

LOG.warn("{}, Token={}", err,  formatTokenId(identifier));

@hadoop-yetus
Copy link

hadoop-yetus commented Jun 2, 2022

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 2s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 40m 1s trunk passed
+1 💚 compile 25m 22s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 compile 21m 55s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 1m 31s trunk passed
+1 💚 mvnsite 1m 59s trunk passed
+1 💚 javadoc 1m 32s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 5s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 5s trunk passed
+1 💚 shadedclient 26m 14s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 4s the patch passed
+1 💚 compile 24m 27s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javac 24m 27s the patch passed
+1 💚 compile 21m 48s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 javac 21m 48s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 1m 23s the patch passed
+1 💚 mvnsite 1m 57s the patch passed
+1 💚 javadoc 1m 22s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 5s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 2s the patch passed
+1 💚 shadedclient 26m 9s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 18m 11s hadoop-common in the patch passed.
+1 💚 asflicense 1m 17s The patch does not generate ASF License warnings.
226m 26s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/5/artifact/out/Dockerfile
GITHUB PR #4241
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux 3b8faa10beee 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 98fe774
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/5/testReport/
Max. process+thread count 1934 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4241/5/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

steveloughran
steveloughran approved these changes Jun 3, 2022
View reviewed changes
Copy link
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, merging. thanks!

@steveloughran steveloughran merged commit 7bd4ac3 into apache:trunk Jun 3, 2022
asfgit pushed a commit that referenced this pull request Jun 6, 2022
@prasad-acit @steveloughran
HDFS-16563. Namenode WebUI prints sensitive information on Token expi…
0c15daa 
…ry (#4241)

Contributed by Renukaprasad C

Change-Id: I5cd2cec1dd79917f810207821b3bdf4fe1a5d24c
@prasad-acit
Copy link
Contributor Author

prasad-acit commented Jun 7, 2022

Thanks @steveloughran

@slfan1989 slfan1989 mentioned this pull request Jun 18, 2022
Merged
@steveloughran steveloughran mentioned this pull request Jun 20, 2022
Closed
HarshitGupta11 pushed a commit to HarshitGupta11/hadoop that referenced this pull request Nov 28, 2022
@prasad-acit
HDFS-16563. Namenode WebUI prints sensitive information on Token expi…
9a44935 
…ry (apache#4241)


Contributed by Renukaprasad C
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jojochuang jojochuang jojochuang left review comments

@steveloughran steveloughran steveloughran approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@prasad-acit @hemanthboyina @Hexiaoqiao @steveloughran @hadoop-yetus @jojochuang

Comments