[ https://issues.apache.org/jira/browse/OOZIE-2244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15710141#comment-15710141 ]
Christopher Jackson commented on OOZIE-2244: -------------------------------------------- This change breaks workflows that worked previously. For instance if someone is using the EL replaceAll function and it returns and empty string as a result (which is considered null) the following code fails: {code} if (arg.toLowerCase().contains("password")) {code} This was working previously because at some point the null does get converted to an empty string, but it's after the point in which the args are printed. > Oozie should mask passwords in the logs when logging command arguments > ---------------------------------------------------------------------- > > Key: OOZIE-2244 > URL: https://issues.apache.org/jira/browse/OOZIE-2244 > Project: Oozie > Issue Type: Bug > Affects Versions: 4.1.0, 4.0.1 > Environment: All > Reporter: Venkat Ranganathan > Assignee: Venkat Ranganathan > Priority: Critical > Fix For: 4.3.0 > > Attachments: OOZIE-2244-01.patch, OOZIE-2244-no-prefix.patch > > > Users have complained that oozie logging the password related argument values > in the launcher log is a security hole and want it to be masked in the > output. Even password aliases in keystore are considered to be a security > hole. > The fix is to mask any argument values if option name contains the string > password (which is true for Sqoop). We do this in multiple places, in Sqoop > main, in Launcher Mapper, in JavaMain as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)