[jira] [Commented] (GEODE-2119) gfsh user and password visible in clear text

Fri, 09 Dec 2016 15:13:27 -0800 

    [ 
https://issues.apache.org/jira/browse/GEODE-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15736631#comment-15736631
 ] 

ASF GitHub Bot commented on GEODE-2119:
---------------------------------------

Github user jaredjstewart commented on a diff in the pull request:

    https://github.com/apache/geode/pull/311#discussion_r91813763
  
    --- Diff: 
geode-core/src/main/java/org/apache/geode/distributed/AbstractLauncher.java ---
    @@ -668,13 +747,45 @@ public String getJavaVersion() {
          * 
          * @return a List of String value each representing an argument passed 
to the JVM of the GemFire
          *         service.
    +     *
          * @see java.lang.management.RuntimeMXBean#getInputArguments()
          */
         public List<String> getJvmArguments() {
           return jvmArguments;
         }
     
         /**
    +     * Gets the arguments passed to the JVM process that is running the 
GemFire service.
    +     * 
    +     * @return a List of String value each representing an argument passed 
to the JVM of the GemFire
    +     *         service.
    +     *
    +     * @see java.lang.management.RuntimeMXBean#getInputArguments()
    +     */
    +    public List<String> getRedactedJvmArguments() {
    --- End diff --
    
    This method does essentially the same thing as `Gfsh#getRedactedCmdlet`.  I 
think extracting this logic into a method of a small LogRedactor class which 
you can call from both places might clean things up a bit.


> gfsh user and password visible in clear text
> --------------------------------------------
>
>                 Key: GEODE-2119
>                 URL: https://issues.apache.org/jira/browse/GEODE-2119
>             Project: Geode
>          Issue Type: Bug
>          Components: gfsh
>            Reporter: Karen Smoler Miller
>            Assignee: Kevin Duling
>
> Both gfsh connect and gfsh start server allow the specification on the 
> command line of a user name and a password for use as credentials in 
> authentication.  Clear text versions of the user name and password are then 
> visible
> 1. if the user runs gfsh history
> 2. in historyfile, if the user runs gfsh history --file=historyfile
> 3. in the output of ps
> It would be worth a check to see if clear text versions of the user or 
> password end up in any locator or server logs.  I don't believe it does for 
> gfsh connect, but it might for the start server case.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to