DRILL-6189: Security: passwords logging and file permisions 1. Overrided serialization methods for instances with passwords 2. Changed file permissions for configuration files
closes #1139 Project: http://git-wip-us.apache.org/repos/asf/drill/repo Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/863ff0bc Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/863ff0bc Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/863ff0bc Branch: refs/heads/master Commit: 863ff0bcff1ee01df292277194e0fee25dbe3460 Parents: f2ac874 Author: Vladimir Tkach <vovatkac...@gmail.com> Authored: Wed Feb 28 19:13:51 2018 +0200 Committer: Arina Ielchiieva <arina.yelchiy...@gmail.com> Committed: Sun Mar 4 17:45:40 2018 +0200 ---------------------------------------------------------------------- .../exec/store/jdbc/JdbcStorageConfig.java | 2 + distribution/src/assemble/bin.xml | 12 ++++-- distribution/src/resources/distrib-env.sh | 0 distribution/src/resources/drill-env.sh | 0 .../planner/sql/handlers/DefaultSqlHandler.java | 8 +++- .../apache/drill/exec/rpc/user/UserServer.java | 40 +++++++++++++++++++- .../common/config/LogicalPlanPersistence.java | 2 + 7 files changed, 57 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java ---------------------------------------------------------------------- diff --git a/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java b/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java index 5a921d4..15eb675 100755 --- a/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java +++ b/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcStorageConfig.java @@ -17,6 +17,7 @@ */ package org.apache.drill.exec.store.jdbc; +import com.fasterxml.jackson.annotation.JsonFilter; import org.apache.drill.common.logical.StoragePluginConfig; import com.fasterxml.jackson.annotation.JsonCreator; @@ -24,6 +25,7 @@ import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonTypeName; @JsonTypeName(JdbcStorageConfig.NAME) +@JsonFilter("passwordFilter") public class JdbcStorageConfig extends StoragePluginConfig { public static final String NAME = "jdbc"; http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/distribution/src/assemble/bin.xml ---------------------------------------------------------------------- diff --git a/distribution/src/assemble/bin.xml b/distribution/src/assemble/bin.xml index 7ca1140..82c4d90 100644 --- a/distribution/src/assemble/bin.xml +++ b/distribution/src/assemble/bin.xml @@ -356,10 +356,12 @@ <file> <source>src/resources/drill-override.conf</source> <outputDirectory>conf</outputDirectory> + <fileMode>0640</fileMode> </file> <file> <source>src/resources/logback.xml</source> <outputDirectory>conf</outputDirectory> + <fileMode>0640</fileMode> </file> <file> <source>src/resources/yarn-client-log.xml</source> @@ -373,12 +375,12 @@ </file> <file> <source>src/resources/drill-env.sh</source> - <fileMode>0755</fileMode> + <fileMode>0750</fileMode> <outputDirectory>conf</outputDirectory> </file> <file> <source>src/resources/distrib-env.sh</source> - <fileMode>0755</fileMode> + <fileMode>0750</fileMode> <outputDirectory>conf</outputDirectory> </file> <file> @@ -388,21 +390,23 @@ </file> <file> <source>src/resources/drill-setup.sh</source> - <fileMode>0755</fileMode> + <fileMode>0750</fileMode> <outputDirectory>conf</outputDirectory> </file> <file> <source>src/resources/distrib-setup.sh</source> - <fileMode>0755</fileMode> + <fileMode>0750</fileMode> <outputDirectory>conf</outputDirectory> </file> <file> <source>src/resources/drill-override-example.conf</source> <outputDirectory>conf</outputDirectory> + <fileMode>0640</fileMode> </file> <file> <source>src/resources/core-site-example.xml</source> <outputDirectory>conf</outputDirectory> + <fileMode>0640</fileMode> </file> <file> <source>src/resources/saffron.properties</source> http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/distribution/src/resources/distrib-env.sh ---------------------------------------------------------------------- diff --git a/distribution/src/resources/distrib-env.sh b/distribution/src/resources/distrib-env.sh old mode 100644 new mode 100755 http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/distribution/src/resources/drill-env.sh ---------------------------------------------------------------------- diff --git a/distribution/src/resources/drill-env.sh b/distribution/src/resources/drill-env.sh old mode 100644 new mode 100755 http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/handlers/DefaultSqlHandler.java ---------------------------------------------------------------------- diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/handlers/DefaultSqlHandler.java b/exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/handlers/DefaultSqlHandler.java index 9b75fb7..58fac66 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/handlers/DefaultSqlHandler.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/handlers/DefaultSqlHandler.java @@ -23,7 +23,11 @@ import java.util.Collection; import java.util.List; import java.util.concurrent.TimeUnit; +import com.fasterxml.jackson.databind.ser.PropertyFilter; +import com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter; +import com.fasterxml.jackson.databind.ser.impl.SimpleFilterProvider; import com.google.common.collect.ImmutableList; +import com.google.common.collect.Sets; import org.apache.calcite.plan.RelOptCostImpl; import org.apache.calcite.plan.RelOptLattice; import org.apache.calcite.plan.RelOptMaterialization; @@ -158,7 +162,9 @@ public class DefaultSqlHandler extends AbstractSqlHandler { protected void log(final String name, final PhysicalPlan plan, final Logger logger) throws JsonProcessingException { if (logger.isDebugEnabled()) { - String planText = plan.unparse(context.getLpPersistence().getMapper().writer()); + PropertyFilter filter = new SimpleBeanPropertyFilter.SerializeExceptFilter(Sets.newHashSet("password")); + String planText = plan.unparse(context.getLpPersistence().getMapper() + .writer(new SimpleFilterProvider().addFilter("passwordFilter", filter))); logger.debug(name + " : \n" + planText); } } http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java ---------------------------------------------------------------------- diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java index 58d9df0..df73b9e 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java @@ -19,6 +19,7 @@ package org.apache.drill.exec.rpc.user; import java.io.IOException; import java.net.SocketAddress; +import java.util.List; import java.util.Map.Entry; import java.util.Set; import java.util.UUID; @@ -92,6 +93,40 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { userConnectionMap = new ConcurrentHashMap<>(); } + /** + * Serialize {@link org.apache.drill.exec.proto.UserProtos.BitToUserHandshake} instance without password + * @param inbound handshake instance for serialization + * @return String of serialized object + */ + private String serializeUserToBitHandshakeWithoutPassword(UserToBitHandshake inbound) { + StringBuilder sb = new StringBuilder(); + sb.append("rpc_version: "); + sb.append(inbound.getRpcVersion()); + sb.append("\ncredentials:\n\t"); + sb.append(inbound.getCredentials()); + sb.append("properties:"); + List<Property> props = inbound.getProperties().getPropertiesList(); + for (Property p: props) { + if (!p.getKey().equalsIgnoreCase("password")) { + sb.append("\n\tproperty:\n\t\t"); + sb.append("key: \""); + sb.append(p.getKey()); + sb.append("\"\n\t\tvalue: \""); + sb.append(p.getValue()); + sb.append("\""); + } + } + sb.append("\nsupport_complex_types: "); + sb.append(inbound.getSupportComplexTypes()); + sb.append("\nsupport_timeout: "); + sb.append(inbound.getSupportTimeout()); + sb.append("sasl_support: "); + sb.append(inbound.getSaslSupport()); + sb.append("\nclient_infos:\n\t"); + sb.append(inbound.getClientInfos().toString().replace("\n", "\n\t")); + return sb.toString(); + } + public UserServer(BootStrapContext context, BufferAllocator allocator, EventLoopGroup eventLoopGroup, UserWorker worker) throws DrillbitStartupException { super(UserRpcConfig.getMapping(context.getConfig(), context.getExecutor()), @@ -320,8 +355,9 @@ public class UserServer extends BasicServer<RpcType, BitToUserConnection> { @Override public BitToUserHandshake getHandshakeResponse(UserToBitHandshake inbound) throws Exception { - logger.trace("Handling handshake from user to bit. {}", inbound); - + if (logger.isTraceEnabled()) { + logger.trace("Handling handshake from user to bit. {}", serializeUserToBitHandshakeWithoutPassword(inbound)); + } // if timeout is unsupported or is set to false, disable timeout. if (!inbound.hasSupportTimeout() || !inbound.getSupportTimeout()) { connection.disableReadTimeout(); http://git-wip-us.apache.org/repos/asf/drill/blob/863ff0bc/logical/src/main/java/org/apache/drill/common/config/LogicalPlanPersistence.java ---------------------------------------------------------------------- diff --git a/logical/src/main/java/org/apache/drill/common/config/LogicalPlanPersistence.java b/logical/src/main/java/org/apache/drill/common/config/LogicalPlanPersistence.java index cd7a8d0..ccc4c5a 100644 --- a/logical/src/main/java/org/apache/drill/common/config/LogicalPlanPersistence.java +++ b/logical/src/main/java/org/apache/drill/common/config/LogicalPlanPersistence.java @@ -19,6 +19,7 @@ package org.apache.drill.common.config; import java.util.Set; +import com.fasterxml.jackson.databind.ser.impl.SimpleFilterProvider; import org.apache.drill.common.expression.LogicalExpression; import org.apache.drill.common.expression.SchemaPath; import org.apache.drill.common.logical.FormatPluginConfigBase; @@ -52,6 +53,7 @@ public class LogicalPlanPersistence { mapper.configure(Feature.ALLOW_UNQUOTED_FIELD_NAMES, true); mapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, true); mapper.configure(Feature.ALLOW_COMMENTS, true); + mapper.setFilterProvider(new SimpleFilterProvider().setFailOnUnknownId(false)); registerSubtypes(LogicalOperatorBase.getSubTypes(scanResult)); registerSubtypes(StoragePluginConfigBase.getSubTypes(scanResult)); registerSubtypes(FormatPluginConfigBase.getSubTypes(scanResult));