drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-6189) Security: passwords logging and file permisions
Date Thu, 01 Mar 2018 14:43:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-6189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382078#comment-16382078
] 

ASF GitHub Bot commented on DRILL-6189:
---------------------------------------

Github user vladimirtkach commented on a diff in the pull request:

    https://github.com/apache/drill/pull/1139#discussion_r171579096
  
    --- Diff: contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java
---
    @@ -17,13 +17,15 @@
      */
     package org.apache.drill.exec.store.jdbc;
     
    +import com.fasterxml.jackson.annotation.JsonFilter;
     import org.apache.drill.common.logical.StoragePluginConfig;
     
     import com.fasterxml.jackson.annotation.JsonCreator;
     import com.fasterxml.jackson.annotation.JsonProperty;
     import com.fasterxml.jackson.annotation.JsonTypeName;
     
     @JsonTypeName(JdbcStorageConfig.NAME)
    +@JsonFilter("passwordFilter")
    --- End diff --
    
    To apply filter:
    1) Mark the entity with you want to filter out fields from.
    2) Create filter provider and register property filter with reference to your entity
    3) When creating ObjectWriter pass your filter provider


> Security: passwords logging and file permisions
> -----------------------------------------------
>
>                 Key: DRILL-6189
>                 URL: https://issues.apache.org/jira/browse/DRILL-6189
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.12.0
>            Reporter: Volodymyr Tkach
>            Assignee: Volodymyr Tkach
>            Priority: Major
>
> *Prerequisites:*
>  *1.* Log level is set to "all" in the conf/logback.xml:
> {code:xml}
> <logger name="org.apache.drill" additivity="false">
>     <level value="all" />
>     <appender-ref ref="FILE" />
> </logger>
> {code}
> *2.* PLAIN authentication mechanism is configured:
> {code:java}
>   security.user.auth: {
> 	enabled: true,
> 	packages += "org.apache.drill.exec.rpc.user.security",
> 	impl: "pam",
> 	pam_profiles: [ "sudo", "login" ]
>   }
> {code}
> *Steps:*
>  *1.* Start the drillbits
>  *2.* Connect by sqlline:
> {noformat}
> /opt/mapr/drill/drill-1.13.0/bin/sqlline -u "jdbc:drill:zk=node1:5181;" -n user1 -p 1111
> {noformat}
> *Expected result:* Logs shouldn't contain clear-text passwords
> *Actual results:* During the drillbit startup or establishing connections via the jdbc
or odbc, the following lines appear in the drillbit.log:
> {noformat}
> properties {
>     key: "password"
>     value: "1111"
> }
> {noformat}
> Same thing happens with storage configuration data, everything, including passwords is
being logged to file.
> *Another issue:*
> Currently Drill config files has the permissions 0644:
> {noformat}
> -rw-r--r--. 1 mapr mapr 1081 Nov 16 14:42 core-site-example.xml
> -rwxr-xr-x. 1 mapr mapr 1807 Dec 19 11:55 distrib-env.sh
> -rw-r--r--. 1 mapr mapr 1424 Nov 16 14:42 distrib-env.sh.prejmx
> -rw-r--r--. 1 mapr mapr 1942 Nov 16 14:42 drill-am-log.xml
> -rw-r--r--. 1 mapr mapr 1279 Dec 19 11:55 drill-distrib.conf
> -rw-r--r--. 1 mapr mapr  117 Nov 16 14:50 drill-distrib-mem-qs.conf
> -rw-r--r--. 1 mapr mapr 6016 Nov 16 14:42 drill-env.sh
> -rw-r--r--. 1 mapr mapr 1855 Nov 16 14:50 drill-on-yarn.conf
> -rw-r--r--. 1 mapr mapr 6913 Nov 16 14:42 drill-on-yarn-example.conf
> -rw-r--r--. 1 mapr mapr 1135 Dec 19 11:55 drill-override.conf
> -rw-r--r--. 1 mapr mapr 7820 Nov 16 14:42 drill-override-example.conf
> -rw-r--r--. 1 mapr mapr 3136 Nov 16 14:42 logback.xml
> -rw-r--r--. 1 mapr mapr  668 Nov 16 14:51 warden.drill-bits.conf
> -rw-r--r--. 1 mapr mapr 1581 Nov 16 14:42 yarn-client-log.xml
> {noformat}
> As they may contain some sensitive information, like passwords or secret keys, they cannot
be viewable to everyone. So I suggest to reduce the permissions at least to 0640.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message