[
https://issues.apache.org/jira/browse/HBASE-27320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Duo Zhang resolved HBASE-27320.
-------------------------------
Fix Version/s: 2.6.0
2.5.1
2.4.15
Hadoop Flags: Reviewed
Resolution: Fixed
Pushed to branch-2.4+.
Thanks [~frostruan] for contributing!
Please fill the release note to mention the behavior change.
> hide some sensitive configuration information in the UI
> -------------------------------------------------------
>
> Key: HBASE-27320
> URL: https://issues.apache.org/jira/browse/HBASE-27320
> Project: HBase
> Issue Type: Improvement
> Components: security, UI
> Affects Versions: 3.0.0-alpha-3
> Reporter: ruanhui
> Assignee: ruanhui
> Priority: Minor
> Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4, 2.4.15
>
>
> In the discussion about how to store keystore/truststore password securely,
> [~bbeaudreault] mentioned and I quote here
> "I agree that it seems insecure to put it directly into the hbase-site.xml.
> Another reason is due to the RS UI which (helpfully) can print the entire
> site configuration. We’d need to make sure the password is excluded from
> that, but better to remove it from site xml altogether".
> I also felt that some sensitive information was exposed in the UI, for
> example, if we set superuser in the hbase-site.xml, the non-admin users can
> obtain superuser information and simulate superuser to perform some
> non-permitted operations on the cluster. So I think maybe we should hide
> these sensitive information in the UI.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
