[jira] [Commented] (HBASE-27320) hide some sensitive configuration information in the UI

Wed, 24 Aug 2022 17:51:20 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-27320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584525#comment-17584525
 ] 

Hudson commented on HBASE-27320:
--------------------------------

Results for branch master
        [build #665 on 
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/665/]: 
(x) *{color:red}-1 overall{color}*
----
details (if available):

(/) {color:green}+1 general checks{color}
-- For more information [see general 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/665/General_20Nightly_20Build_20Report/]




(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3) 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/665/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]


(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11 
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/665/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]


(/) {color:green}+1 source release artifact{color}
-- See build output for details.


(/) {color:green}+1 client integration test{color}


> hide some sensitive configuration information in the UI
> -------------------------------------------------------
>
>                 Key: HBASE-27320
>                 URL: https://issues.apache.org/jira/browse/HBASE-27320
>             Project: HBase
>          Issue Type: Improvement
>          Components: security, UI
>    Affects Versions: 3.0.0-alpha-3
>            Reporter: ruanhui
>            Assignee: ruanhui
>            Priority: Minor
>             Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4, 2.4.15
>
>
> In the discussion about how to store keystore/truststore password securely, 
> [~bbeaudreault]  mentioned and I quote here
> "I agree that it seems insecure to put it directly into the hbase-site.xml. 
> Another reason is due to the RS UI which (helpfully) can print the entire 
> site configuration. We’d need to make sure the password is excluded from 
> that, but better to remove it from site xml altogether".
> I also felt that some sensitive information was exposed in the UI, for 
> example, if we set superuser in the hbase-site.xml, the non-admin users can 
> obtain superuser information and simulate superuser to perform some 
> non-permitted operations on the cluster. So I think maybe we should hide 
> these sensitive information in the UI.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to