ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Zang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-12227) Kerberos Wizard: temporarily stores admin principal / password in browser's local storage
Date Tue, 30 Jun 2015 22:25:04 GMT
Richard Zang created AMBARI-12227:
-------------------------------------

             Summary: Kerberos Wizard: temporarily stores admin principal / password in browser's
local storage
                 Key: AMBARI-12227
                 URL: https://issues.apache.org/jira/browse/AMBARI-12227
             Project: Ambari
          Issue Type: Bug
          Components: ambari-web
    Affects Versions: 2.0.0
            Reporter: Richard Zang
            Assignee: Richard Zang
            Priority: Critical
             Fix For: 2.1.1


Kerberos admin credentials are stored in the browser's local storage in plain text during
Enable Kerberos Wizard. This is blown away when the user exits the wizard or on log out.
However, if there is a chance for an attacker without proper Ambari credentials to look at
the Kerberos credentials. For example, the admin can launch Enable Kerberos Wizard and enters
Kerberos admin credentials on the 2nd page, and goes forward. At this point, Kerberos admin
crendentials are stored in browser's local storage. If the user walks away from his desk,
the other user can look in the browser developer tools to find the Kerberos admin principal
and password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message