hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Templeton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5549) AMLauncher.createAMContainerLaunchContext() should not log the command to be launched indiscriminately
Date Tue, 30 Aug 2016 16:55:20 GMT

    [ https://issues.apache.org/jira/browse/YARN-5549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15449515#comment-15449515
] 

Daniel Templeton commented on YARN-5549:
----------------------------------------

I would still argue to keep the config param.  There are many reasons why one would want to
enable debug logging, all of which can cause the leaking of credentials into the logs.  The
point of this JIRA is to secure the application command contents.  Without the config param,
we're only making it a bit more secure, sometimes.

> AMLauncher.createAMContainerLaunchContext() should not log the command to be launched
indiscriminately
> ------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-5549
>                 URL: https://issues.apache.org/jira/browse/YARN-5549
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Daniel Templeton
>            Assignee: Daniel Templeton
>            Priority: Critical
>         Attachments: YARN-5549.001.patch, YARN-5549.002.patch, YARN-5549.003.patch, YARN-5549.004.patch
>
>
> The command could contain sensitive information, such as keystore passwords or AWS credentials
or other.  Instead of logging it as INFO, we should log it as DEBUG and include a property
to disable logging it at all.  Logging it to a different logger would also be viable and may
create a smaller administrative footprint.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message