Return-Path: X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B4DAFD4BB for ; Mon, 22 Oct 2012 18:34:14 +0000 (UTC) Received: (qmail 23496 invoked by uid 500); 22 Oct 2012 18:34:14 -0000 Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org Received: (qmail 23451 invoked by uid 500); 22 Oct 2012 18:34:14 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 23360 invoked by uid 99); 22 Oct 2012 18:34:14 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Oct 2012 18:34:14 +0000 Date: Mon, 22 Oct 2012 18:34:14 +0000 (UTC) From: "Keith Turner (JIRA)" To: notifications@accumulo.apache.org Message-ID: <1937408951.10992.1350930854507.JavaMail.jiratomcat@arcas> Subject: [jira] [Updated] (ACCUMULO-489) Input Format puts Base64 encoded passwords in Configuration, which is world readable MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ACCUMULO-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Keith Turner updated ACCUMULO-489: ---------------------------------- Fix Version/s: (was: 1.5.0) > Input Format puts Base64 encoded passwords in Configuration, which is world readable > ------------------------------------------------------------------------------------ > > Key: ACCUMULO-489 > URL: https://issues.apache.org/jira/browse/ACCUMULO-489 > Project: Accumulo > Issue Type: Improvement > Components: client > Affects Versions: 1.4.0, 1.3.5 > Reporter: John Vines > Assignee: John Vines > Labels: security > Fix For: 1.4.1 > > > This has been a known issue, but I think it's about time we address it. Whena user sets up a mapreduce, they set their password in the configuration (Base64 encoded). This configuration is world readable, meaning passwords are out there in cleartext. We need a mechanism in place to try to keep this data private. > In hadoop 0.20.203, the private distributed cache was implemented. Any file placed in the distributed cache which is not world readable/not in folders world executable automatically get placed in the private distributed cache. The protection mechanism is simply being in the tasktracker's local directory under a folder for the user with restricted permissions. This should be adequate for protecting a users Accumulo password. So this should be as simple as checking the set/getPassword functions to utilize this space rather than the configuration. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira