[ https://issues.apache.org/jira/browse/YARN-11308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606840#comment-17606840 ]
ASF GitHub Bot commented on YARN-11308: --------------------------------------- slfan1989 commented on code in PR #4908: URL: https://github.com/apache/hadoop/pull/4908#discussion_r974841557 ########## hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java: ########## @@ -214,6 +215,12 @@ public final class HttpServer2 implements FilterContainer { private StatisticsHandler statsHandler; private HttpServer2Metrics metrics; + private static final String MASK = "******"; + public static final String FEDERATION_STATESTORE_SQL_USERNAME = + "yarn.federation.state-store.sql.username"; + public static final String FEDERATION_STATESTORE_SQL_PASSWROD = Review Comment: Your suggestion is very good, I read the code and I found that `ConfigReactor` provides the ability to provide masks for key configurations. When `ConfigReactor` is initialized, it will read some configuration sensitive keywords. When encountering these keywords, it will return the value in mask mode. But `ConfigReactor` currently only supports json configuration, I will add a new method to support xml configuration ``` public ConfigRedactor(Configuration conf) { String sensitiveRegexList = conf.get( HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS, HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT); List<String> sensitiveRegexes = Arrays.asList(StringUtils.getTrimmedStrings(sensitiveRegexList)); compiledPatterns = new ArrayList<Pattern>(); for (String regex : sensitiveRegexes) { Pattern p = Pattern.compile(regex); compiledPatterns.add(p); } } public static final String HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT = String.join(",", "secret$", "password$", "username$", "ssl.keystore.pass$", "fs.s3.*[Ss]ecret.?[Kk]ey", "fs.s3a.*.server-side-encryption.key", "fs.s3a.encryption.algorithm", "fs.s3a.encryption.key", "fs.azure\\.account.key.*", "credential$", "oauth.*secret", "oauth.*password", "oauth.*token", HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS); ``` > Router Page display the db username and password in mask mode > ------------------------------------------------------------- > > Key: YARN-11308 > URL: https://issues.apache.org/jira/browse/YARN-11308 > Project: Hadoop YARN > Issue Type: Bug > Components: federation > Affects Versions: 3.4.0 > Reporter: fanshilun > Assignee: fanshilun > Priority: Major > Labels: pull-request-available > Attachments: image-2022-09-19-17-33-44-585.png, > image-2022-09-19-17-35-02-471.png > > > When using YRAN-Federation's SQLFederationStateStore, we need to configure > yarn.federation.state-store.sql.username, > yarn.federation.state-store.sql.password in the configuration file, When > viewing Conf on the Router page, the user name and password are displayed in > plaintext, which will bring security risks. We should display it in the form > of a mask. > > before fixing > {code:java} > <property> > <name>yarn.federation.state-store.sql.username</name> > <value>federation</value> > <final>false</final> > <source>yarn-site.xml</source> > </property> > <property> > <name>yarn.federation.state-store.sql.password</name> > <value>federation123</value> > <final>false</final> > <source>yarn-site.xml</source> > </property> {code} > after fixing > {code:java} > <property> > <name>yarn.federation.state-store.sql.username</name> > <value>******</value> > <final>false</final> > <source>yarn-site.xml</source> > </property> > <property> > <name>yarn.federation.state-store.sql.password</name> > <value>******</value> > <final>false</final> > <source>yarn-site.xml</source> > </property> {code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org