[jira] [Updated] (HBASE-27320) hide some sensitive configuration information in the UI
[ https://issues.apache.org/jira/browse/HBASE-27320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ruanhui updated HBASE-27320: Release Note: hide superuser and password related settings in the configuration UI > hide some sensitive configuration information in the UI > --- > > Key: HBASE-27320 > URL: https://issues.apache.org/jira/browse/HBASE-27320 > Project: HBase > Issue Type: Improvement > Components: security, UI >Affects Versions: 3.0.0-alpha-3 >Reporter: ruanhui >Assignee: ruanhui >Priority: Minor > Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4, 2.4.15 > > > In the discussion about how to store keystore/truststore password securely, > [~bbeaudreault] mentioned and I quote here > "I agree that it seems insecure to put it directly into the hbase-site.xml. > Another reason is due to the RS UI which (helpfully) can print the entire > site configuration. We’d need to make sure the password is excluded from > that, but better to remove it from site xml altogether". > I also felt that some sensitive information was exposed in the UI, for > example, if we set superuser in the hbase-site.xml, the non-admin users can > obtain superuser information and simulate superuser to perform some > non-permitted operations on the cluster. So I think maybe we should hide > these sensitive information in the UI. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HBASE-27320) hide some sensitive configuration information in the UI
[ https://issues.apache.org/jira/browse/HBASE-27320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Duo Zhang updated HBASE-27320: -- Component/s: security > hide some sensitive configuration information in the UI > --- > > Key: HBASE-27320 > URL: https://issues.apache.org/jira/browse/HBASE-27320 > Project: HBase > Issue Type: Improvement > Components: security, UI >Affects Versions: 3.0.0-alpha-3 >Reporter: ruanhui >Assignee: ruanhui >Priority: Minor > Fix For: 3.0.0-alpha-4 > > > In the discussion about how to store keystore/truststore password securely, > [~bbeaudreault] mentioned and I quote here > "I agree that it seems insecure to put it directly into the hbase-site.xml. > Another reason is due to the RS UI which (helpfully) can print the entire > site configuration. We’d need to make sure the password is excluded from > that, but better to remove it from site xml altogether". > I also felt that some sensitive information was exposed in the UI, for > example, if we set superuser in the hbase-site.xml, the non-admin users can > obtain superuser information and simulate superuser to perform some > non-permitted operations on the cluster. So I think maybe we should hide > these sensitive information in the UI. -- This message was sent by Atlassian Jira (v8.20.10#820010)
