[jira] [Commented] (YARN-11308) Router Page display the db username and password in mask mode

ASF GitHub Bot (Jira) Mon, 19 Sep 2022 18:44:31 -0700


    [ 
https://issues.apache.org/jira/browse/YARN-11308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606823#comment-17606823
 ]


ASF GitHub Bot commented on YARN-11308:
---------------------------------------

slfan1989 commented on code in PR #4908:
URL: https://github.com/apache/hadoop/pull/4908#discussion_r974812563


##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfServlet.java:
##########
@@ -247,4 +254,67 @@ public void testBadFormat() throws Exception {
     }
     assertEquals("", sw.toString());
   }
+
+  private void verifyReplaceProperty(Configuration conf, String format,
+      String propertyName) throws Exception {
+    StringWriter sw = null;
+    PrintWriter pw = null;
+    ConfServlet service = null;
+    try {
+      service = new ConfServlet();
+      ServletConfig servletConf = mock(ServletConfig.class);
+      ServletContext context = mock(ServletContext.class);
+      service.init(servletConf);
+      when(context.getAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE))
+          .thenReturn(conf);
+      when(service.getServletContext())
+          .thenReturn(context);
+
+      HttpServletRequest request = mock(HttpServletRequest.class);
+      when(request.getHeader(HttpHeaders.ACCEPT))

Review Comment:
   I will fix it.



##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfServlet.java:
##########
@@ -247,4 +254,67 @@ public void testBadFormat() throws Exception {
     }
     assertEquals("", sw.toString());
   }
+
+  private void verifyReplaceProperty(Configuration conf, String format,
+      String propertyName) throws Exception {
+    StringWriter sw = null;
+    PrintWriter pw = null;
+    ConfServlet service = null;
+    try {
+      service = new ConfServlet();
+      ServletConfig servletConf = mock(ServletConfig.class);
+      ServletContext context = mock(ServletContext.class);
+      service.init(servletConf);
+      when(context.getAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE))
+          .thenReturn(conf);
+      when(service.getServletContext())
+          .thenReturn(context);
+
+      HttpServletRequest request = mock(HttpServletRequest.class);
+      when(request.getHeader(HttpHeaders.ACCEPT))
+          .thenReturn(TEST_FORMATS.get(format));
+      when(request.getParameter("name"))
+          .thenReturn(propertyName);
+
+      HttpServletResponse response = mock(HttpServletResponse.class);
+      sw = new StringWriter();
+      pw = new PrintWriter(sw);
+      when(response.getWriter()).thenReturn(pw);
+
+      // response request
+      service.doGet(request, response);
+      String result = sw.toString().trim();
+
+      // For example, for the property 
yarn.federation.state-store.sql.username,
+      // we set the value to test-user,
+      // which should be replaced by a mask, which should be ******
+      // MASK_PROPERTIES.get("property 
yarn.federation.state-store.sql.username")
+      // is the value before replacement, test-user
+      // result contains the replaced value, which should be ******
+      assertTrue(result.contains(propertyName) &&

Review Comment:
   I will fix it.





> Router Page display the db username and password in mask mode
> -------------------------------------------------------------
>
>                 Key: YARN-11308
>                 URL: https://issues.apache.org/jira/browse/YARN-11308
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: federation
>    Affects Versions: 3.4.0
>            Reporter: fanshilun
>            Assignee: fanshilun
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2022-09-19-17-33-44-585.png, 
> image-2022-09-19-17-35-02-471.png
>
>
> When using YRAN-Federation's SQLFederationStateStore, we need to configure 
> yarn.federation.state-store.sql.username, 
> yarn.federation.state-store.sql.password in the configuration file, When 
> viewing Conf on the Router page, the user name and password are displayed in 
> plaintext, which will bring security risks. We should display it in the form 
> of a mask.
>  
> before fixing
> {code:java}
> <property>
>    <name>yarn.federation.state-store.sql.username</name>
>    <value>federation</value>
>    <final>false</final>
>    <source>yarn-site.xml</source>
> </property>
> <property>
>    <name>yarn.federation.state-store.sql.password</name>
>    <value>federation123</value>
>    <final>false</final>
>    <source>yarn-site.xml</source>
> </property> {code}
> after fixing
> {code:java}
> <property>
> <name>yarn.federation.state-store.sql.username</name>
> <value>******</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property>
> <property>
> <name>yarn.federation.state-store.sql.password</name>
> <value>******</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property>  {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Commented] (YARN-11308) Router Page display the db username and password in mask mode

Reply via email to