ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Gao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-12634) Clear passwords can be seen on Ambari UI service Configs tab via browser developer tool
Date Tue, 04 Aug 2015 17:52:04 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-12634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14654039#comment-14654039
] 

Yu Gao commented on AMBARI-12634:
---------------------------------

One solution for this issue is to dynamically mask password properties on server side before
sending it over to its UI/REST client.
   - For get requests that read service configurations - ambari server should mask properties
of PASSWORD type to stars (like *******)
   - For put/post requests that modify service configurations - ambari server replaces the
received stars value for properties of PASSWORD type with the original value saved in DB (with
current implementation in ambari, simply removing those masked properties will delete them
from DB as well); 
If a PASSWORD property is the one requested to be changed, ambari will accept the new values
as normal. To protect the newly changed passwords in transit, ssl is one way which is already
supported by ambari.


> Clear passwords can be seen on Ambari UI service Configs tab via browser developer tool
> ---------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12634
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12634
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Yu Gao
>              Labels: security
>
> HTML password type hides passwords with **** on the service Configs page. However, everyone
including non-admin users who has ambari access with READ-ONLY permission can see the real
content of the passwords through developer tools, like firebug in firefox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message