[ https://issues.apache.org/jira/browse/AMBARI-12227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14609361#comment-14609361 ]
Hadoop QA commented on AMBARI-12227: ------------------------------------ {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12742957/AMBARI-12227.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 1 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3325//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3325//console This message is automatically generated. > Kerberos Wizard: temporarily stores admin principal / password in browser's > local storage > ----------------------------------------------------------------------------------------- > > Key: AMBARI-12227 > URL: https://issues.apache.org/jira/browse/AMBARI-12227 > Project: Ambari > Issue Type: Bug > Components: ambari-web > Affects Versions: 2.0.0 > Reporter: Richard Zang > Assignee: Richard Zang > Priority: Critical > Fix For: 2.1.1 > > Attachments: AMBARI-12227.patch > > > Kerberos admin credentials are stored in the browser's local storage in plain > text during Enable Kerberos Wizard. This is blown away when the user exits > the wizard or on log out. > However, if there is a chance for an attacker without proper Ambari > credentials to look at the Kerberos credentials. For example, the admin can > launch Enable Kerberos Wizard and enters Kerberos admin credentials on the > 2nd page, and goes forward. At this point, Kerberos admin crendentials are > stored in browser's local storage. If the user walks away from his desk, the > other user can look in the browser developer tools to find the Kerberos admin > principal and password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)