ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-12227) Kerberos Wizard: temporarily stores admin principal / password in browser's local storage
Date Tue, 21 Jul 2015 22:43:05 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-12227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14635965#comment-14635965
] 

Hudson commented on AMBARI-12227:
---------------------------------

ABORTED: Integrated in Ambari-trunk-Commit #3144 (See [https://builds.apache.org/job/Ambari-trunk-Commit/3144/])
AMBARI-12227. Kerberos Wizard: temporarily stores admin principal / password in browser's
local storage (rzang) (rzang: http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=7839c973e9581b24a4dea37c1683aec45361b8da)
* ambari-web/app/controllers/wizard.js
* ambari-web/vendor/scripts/lz-string.js
* ambari-web/test/controllers/wizard_test.js


> Kerberos Wizard: temporarily stores admin principal / password in browser's local storage
> -----------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12227
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12227
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.0.0
>            Reporter: Richard Zang
>            Assignee: Richard Zang
>            Priority: Critical
>             Fix For: 2.1.1
>
>         Attachments: AMBARI-12227.patch
>
>
> Kerberos admin credentials are stored in the browser's local storage in plain text during
Enable Kerberos Wizard. This is blown away when the user exits the wizard or on log out.
> However, if there is a chance for an attacker without proper Ambari credentials to look
at the Kerberos credentials. For example, the admin can launch Enable Kerberos Wizard and
enters Kerberos admin credentials on the 2nd page, and goes forward. At this point, Kerberos
admin crendentials are stored in browser's local storage. If the user walks away from his
desk, the other user can look in the browser developer tools to find the Kerberos admin principal
and password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message