[
https://issues.apache.org/jira/browse/OOZIE-1814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15523147#comment-15523147
]
Hadoop QA commented on OOZIE-1814:
----------------------------------
Testing JIRA OOZIE-1814
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:green}+1{color} the patch does not introduce any trailing spaces
. {color:red}-1{color} the patch contains 11 line(s) longer than 132
characters
. {color:green}+1{color} the patch does adds/modifies 3 testcase(s)
{color:red}-1 RAT{color}
. {color:red}-1{color} the patch seems to introduce 2 new RAT warning(s)
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
. Tests run: 1810
. Tests failed: 2
. Tests errors: 1
. The patch failed the following testcases:
.
testActionKillCommandActionNumbers(org.apache.oozie.command.coord.TestCoordActionsKillXCommand)
.
testCoord_throwException(org.apache.oozie.command.coord.TestCoordChangeXCommand)
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/3331/
> Oozie should mask any passwords in logs and REST interfaces
> -----------------------------------------------------------
>
> Key: OOZIE-1814
> URL: https://issues.apache.org/jira/browse/OOZIE-1814
> Project: Oozie
> Issue Type: Bug
> Affects Versions: trunk
> Reporter: Bowen Zhang
> Assignee: Andras Piros
> Labels: newbie
> Fix For: 4.3.0
>
> Attachments: OOZIE-1814.002.patch, OOZIE-1814.003.patch,
> OOZIE-1814.004.patch, OOZIE-1814.005.patch, oozie-1814.patch
>
>
> Following passwords are currently visible in the instrumentation log, REST
> endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
> * {{javax.net.ssl.trustStorePassword}}
> * {{oozie.https.keystore.pass}}
> * {{HADOOP_CREDSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_KEYSTORE_PASSWORD}}
> * {{OOZIE_HTTPS_TRUSTSTORE_PASSWORD}}
> There are a few examples that illustrate password leakage.
> {noformat}
> # grep -i pass /var/log/oozie/oozie-instrumentation.log
> OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
> javax.net.ssl.trustStorePassword = password
> oozie.https.keystore.pass = password
> HADOOP_CREDSTORE_PASSWORD = password
> OOZIE_HTTPS_KEYSTORE_PASSWORD = password
> CATALINA_OPTS = -Xms603979776 -Xmx603979776
> -XX:+HeapDumpOnOutOfMemoryError
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
> -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh
> -Doozie.home.dir=/usr/lib/oozie
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER
> -Doozie.log.dir=/var/log/oozie
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
> -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log
> -Doozie.instance.id=nightly-1.gce.cloudera.com
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks
> -Djavax.net.ssl.trustStorePassword=password
> {noformat}
> Oozie dumps the env vars and Java sys props to the instrumentation log on
> startup.
> {noformat}
> # curl --negotiate -u foo:bar -k
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m
> json.tool | grep -i pass
> "CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError
> -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof
> -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh
> -Doozie.home.dir=/usr/lib/oozie
> -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER
> -Doozie.log.dir=/var/log/oozie
> -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out
> -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties
> -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com
> -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true
> -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log
> -Doozie.instance.id=nightly-1.gce.cloudera.com
> -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443
> -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks
> -Djavax.net.ssl.trustStorePassword=password ",
> "HADOOP_CREDSTORE_PASSWORD": "password",
> "OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
> "OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
> {noformat}
> {noformat}
> # curl --negotiate -u foo:bar -k
> https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties |
> python -m json.tool | grep -i pass
> "javax.net.ssl.trustStorePassword": "password",
> "oozie.https.keystore.pass": "password",
> {noformat}
> The REST API has two endpoints, {{admin/os-env}} and
> {{admin/java-sys-properties}}, which are also available in the Web UI and
> CLI. These expose the env vars and Java sys props too.
> We should mask these like we do for the configuration endpoint.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
