[ https://issues.apache.org/jira/browse/MESOS-8413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16322039#comment-16322039 ]
Alexander Rojas commented on MESOS-8413: ---------------------------------------- [r/65090/|https://reviews.apache.org/r/65090/]: Added specific flag loader for zookeeper urls preventing password leaks. > Zookeeper configuration passwords are shown in clear text > --------------------------------------------------------- > > Key: MESOS-8413 > URL: https://issues.apache.org/jira/browse/MESOS-8413 > Project: Mesos > Issue Type: Bug > Components: master > Affects Versions: 1.4.1 > Reporter: Alexander Rojas > Assignee: Alexander Rojas > Labels: mesosphere, security > > No matter how one configures mesos, either by passing the ZooKeeper flags in > the command line or using a file, as follows: > {noformat} > ./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master > --log_dir=/tmp/$USER/mesos/master/log > --zk=zk://${zk_username}:${zk_password}@${zk_addr}/mesos --quorum=1 > {noformat} > {noformat} > echo "zk://${zk_username}:${zk_password}@${zk_addr}/mesos" > > /tmp/${USER}/mesos/zk_config.txt > ./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master > --log_dir=/tmp/$USER/mesos/master/log --zk=/tmp/${USER}/mesos/zk_config.txt > {noformat} > both the logs and the results of the {{/flags}} endpoint will resolve to the > contents of the flags, i.e.: > {noformat} > I0108 10:12:50.387522 28579 master.cpp:458] Flags at startup: > --agent_ping_timeout="15secs" --agent_reregister_timeout="10mins" > --allocation_interval="1secs" --allocator="HierarchicalDRF" > --authenticate_agents="false" --authenticate_frameworks="false" > --authenticate_http_frameworks="false" --authenticate_http_readonly="false" > --authenticate_http_readwrite="false" --authenticators="crammd5" > --authorizers="local" --filter_gpu_resources="true" --framework_sorter="drf" > --help="false" --hostname_lookup="true" --http_authenticators="basic" > --initialize_driver_logging="true" --log_auto_initialize="true" > --log_dir="/tmp/user/mesos/master/log" --logbufsecs="0" > --logging_level="INFO" --max_agent_ping_timeouts="5" > --max_completed_frameworks="50" --max_completed_tasks_per_framework="1000" > --max_unreachable_tasks_per_framework="1000" --port="5050" --quiet="false" > --quorum="1" --recovery_agent_removal_limit="100%" > --registry="replicated_log" --registry_fetch_timeout="1mins" > --registry_gc_interval="15mins" --registry_max_agent_age="2weeks" > --registry_max_agent_count="102400" --registry_store_timeout="20secs" > --registry_strict="false" --require_agent_domain="false" > --root_submissions="true" --user_sorter="drf" --version="false" > --webui_dir="/home/user/mesos/build/../src/webui" > --work_dir="/tmp/user/mesos/master" > --zk="zk://user@passwd:127.0.0.1:2181/mesos" --zk_session_timeout="10secs" > {noformat} > {noformat} > HTTP/1.1 200 OK > Content-Encoding: gzip > Content-Length: 591 > Content-Type: application/json > Date: Mon, 08 Jan 2018 15:12:53 GMT > { > "flags": { > "agent_ping_timeout": "15secs", > "agent_reregister_timeout": "10mins", > "allocation_interval": "1secs", > "allocator": "HierarchicalDRF", > "authenticate_agents": "false", > "authenticate_frameworks": "false", > "authenticate_http_frameworks": "false", > "authenticate_http_readonly": "false", > "authenticate_http_readwrite": "false", > "authenticators": "crammd5", > "authorizers": "local", > "filter_gpu_resources": "true", > "framework_sorter": "drf", > "help": "false", > "hostname_lookup": "true", > "http_authenticators": "basic", > "initialize_driver_logging": "true", > "log_auto_initialize": "true", > "log_dir": "/tmp/user/mesos/master/log", > "logbufsecs": "0", > "logging_level": "INFO", > "max_agent_ping_timeouts": "5", > "max_completed_frameworks": "50", > "max_completed_tasks_per_framework": "1000", > "max_unreachable_tasks_per_framework": "1000", > "port": "5050", > "quiet": "false", > "quorum": "1", > "recovery_agent_removal_limit": "100%", > "registry": "replicated_log", > "registry_fetch_timeout": "1mins", > "registry_gc_interval": "15mins", > "registry_max_agent_age": "2weeks", > "registry_max_agent_count": "102400", > "registry_store_timeout": "20secs", > "registry_strict": "false", > "require_agent_domain": "false", > "root_submissions": "true", > "user_sorter": "drf", > "version": "false", > "webui_dir": "/home/user/mesos/build/../src/webui", > "work_dir": "/tmp/user/mesos/master", > "zk": "zk://user@passwd:127.0.0.1:2181/mesos", > "zk_session_timeout": "10secs" > } > } > {noformat} > Which leads to having no effective way to prevent the passwords to be shown > if someone can get the hands in either of the previous methods. -- This message was sent by Atlassian JIRA (v6.4.14#64029)