john lilley created YARN-10007: ---------------------------------- Summary: YARN logs contain environment variables, which is a security risk Key: YARN-10007 URL: https://issues.apache.org/jira/browse/YARN-10007 Project: Hadoop YARN Issue Type: Bug Components: yarn Reporter: john lilley
In most environments it is standard practice to relay "secrets" via environment variables when spawning a process, because the alternatives (command-line args or storing in a file) are insecure. However, in a YARN application, this also appears to be insecure because the environment is logged. While YARN has the ability to relay delegation tokens in the launch context, it is unclear how to use this facility for generalized "secrets" that may not conform to security-token structure. For example, the RPDM_KEYSTORE_PASSWORDS env var is found in the aggregated YARN logs: {{Container: container_e06_1574362398372_0023_01_000001 on node6.xxxxxxxx.com_45454}} {{LogAggregationType: AGGREGATED}} {{============================================================================================}} {{LogType:launch_container.sh}} {{LogLastModifiedTime:Sat Nov 23 14:58:12 -0700 2019}} {{LogLength:4043}} {{LogContents:}} {{#!/bin/bash}}{{set -o pipefail -e}} {{[...]export HADOOP_YARN_HOME=${HADOOP_YARN_HOME:-"/usr/hdp/2.6.5.1175-1/hadoop-yarn"}}} {{export RPDM_KEYSTORE_PASSWORDS="eyJnZW5lcmFsIjoiZmtQZllubmVLRVo4c1Z0V0REQ3gxaHJzRnVjdVN5b1NBTE9OUTF1dEZpZ1x1MDAzZCJ9"}} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org