mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Rojas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-8413) Zookeeper configuration passwords are shown in clear text
Date Mon, 08 Jan 2018 15:46:00 GMT

    [ https://issues.apache.org/jira/browse/MESOS-8413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16316503#comment-16316503
] 

Alexander Rojas commented on MESOS-8413:
----------------------------------------

After doing some research, I can conclude this is a bug. The other flags which store passwords
({{--credentials}} in master and {{--credential}} and {{--credentials}} in the agent) all
of them have the behavior where, if a file is given, the file path will be shown instead of
the contents of the file.

I see no reason why {{--zk}} should behave differently.

> Zookeeper configuration passwords are shown in clear text
> ---------------------------------------------------------
>
>                 Key: MESOS-8413
>                 URL: https://issues.apache.org/jira/browse/MESOS-8413
>             Project: Mesos
>          Issue Type: Bug
>          Components: master
>    Affects Versions: 1.4.1
>            Reporter: Alexander Rojas
>              Labels: mesosphere, security
>
> No matter how one configures mesos, either by passing the ZooKeeper flags in the command
line or using a file, as follows:
> {noformat}
> ./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log
--zk=zk://${zk_username}:${zk_password}@${zk_addr}/mesos --quorum=1
> {noformat}
> {noformat}
> echo "zk://${zk_username}:${zk_password}@${zk_addr}/mesos" > /tmp/${USER}/mesos/zk_config.txt
> ./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log
--zk=/tmp/${USER}/mesos/zk_config.txt
> {noformat}
> both the logs and the results of the {{/flags}} endpoint will resolve to the contents
of the flags, i.e.:
> {noformat}
> I0108 10:12:50.387522 28579 master.cpp:458] Flags at startup: --agent_ping_timeout="15secs"
--agent_reregister_timeout="10mins" --allocation_interval="1secs" --allocator="HierarchicalDRF"
--authenticate_agents="false" --authenticate_frameworks="false" --authenticate_http_frameworks="false"
--authenticate_http_readonly="false" --authenticate_http_readwrite="false" --authenticators="crammd5"
--authorizers="local" --filter_gpu_resources="true" --framework_sorter="drf" --help="false"
--hostname_lookup="true" --http_authenticators="basic" --initialize_driver_logging="true"
--log_auto_initialize="true" --log_dir="/tmp/user/mesos/master/log" --logbufsecs="0" --logging_level="INFO"
--max_agent_ping_timeouts="5" --max_completed_frameworks="50" --max_completed_tasks_per_framework="1000"
--max_unreachable_tasks_per_framework="1000" --port="5050" --quiet="false" --quorum="1" --recovery_agent_removal_limit="100%"
--registry="replicated_log" --registry_fetch_timeout="1mins" --registry_gc_interval="15mins"
--registry_max_agent_age="2weeks" --registry_max_agent_count="102400" --registry_store_timeout="20secs"
--registry_strict="false" --require_agent_domain="false" --root_submissions="true" --user_sorter="drf"
--version="false" --webui_dir="/home/user/mesos/build/../src/webui" --work_dir="/tmp/user/mesos/master"
--zk="zk://user@passwd:127.0.0.1:2181/mesos" --zk_session_timeout="10secs"
> {noformat}
> {noformat}
> HTTP/1.1 200 OK
> Content-Encoding: gzip
> Content-Length: 591
> Content-Type: application/json
> Date: Mon, 08 Jan 2018 15:12:53 GMT
> {
>     "flags": {
>         "agent_ping_timeout": "15secs",
>         "agent_reregister_timeout": "10mins",
>         "allocation_interval": "1secs",
>         "allocator": "HierarchicalDRF",
>         "authenticate_agents": "false",
>         "authenticate_frameworks": "false",
>         "authenticate_http_frameworks": "false",
>         "authenticate_http_readonly": "false",
>         "authenticate_http_readwrite": "false",
>         "authenticators": "crammd5",
>         "authorizers": "local",
>         "filter_gpu_resources": "true",
>         "framework_sorter": "drf",
>         "help": "false",
>         "hostname_lookup": "true",
>         "http_authenticators": "basic",
>         "initialize_driver_logging": "true",
>         "log_auto_initialize": "true",
>         "log_dir": "/tmp/user/mesos/master/log",
>         "logbufsecs": "0",
>         "logging_level": "INFO",
>         "max_agent_ping_timeouts": "5",
>         "max_completed_frameworks": "50",
>         "max_completed_tasks_per_framework": "1000",
>         "max_unreachable_tasks_per_framework": "1000",
>         "port": "5050",
>         "quiet": "false",
>         "quorum": "1",
>         "recovery_agent_removal_limit": "100%",
>         "registry": "replicated_log",
>         "registry_fetch_timeout": "1mins",
>         "registry_gc_interval": "15mins",
>         "registry_max_agent_age": "2weeks",
>         "registry_max_agent_count": "102400",
>         "registry_store_timeout": "20secs",
>         "registry_strict": "false",
>         "require_agent_domain": "false",
>         "root_submissions": "true",
>         "user_sorter": "drf",
>         "version": "false",
>         "webui_dir": "/home/user/mesos/build/../src/webui",
>         "work_dir": "/tmp/user/mesos/master",
>         "zk": "zk://user@passwd:127.0.0.1:2181/mesos",
>         "zk_session_timeout": "10secs"
>     }
> }
> {noformat}
> Which leads to having no effective way to prevent the passwords to be shown if someone
can get the hands in either of the previous methods.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message