[
https://issues.apache.org/jira/browse/YARN-11308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606840#comment-17606840
]
ASF GitHub Bot commented on YARN-11308:
---------------------------------------
slfan1989 commented on code in PR #4908:
URL: https://github.com/apache/hadoop/pull/4908#discussion_r974841557
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java:
##########
@@ -214,6 +215,12 @@ public final class HttpServer2 implements FilterContainer {
private StatisticsHandler statsHandler;
private HttpServer2Metrics metrics;
+ private static final String MASK = "******";
+ public static final String FEDERATION_STATESTORE_SQL_USERNAME =
+ "yarn.federation.state-store.sql.username";
+ public static final String FEDERATION_STATESTORE_SQL_PASSWROD =
Review Comment:
Your suggestion is very good, I read the code and I found that
`ConfigReactor` provides the ability to provide masks for key configurations.
When `ConfigReactor` is initialized, it will read some configuration
sensitive keywords. When encountering these keywords, it will return the value
in mask mode. But `ConfigReactor` currently only supports json configuration,
I will add a new method to support xml configuration
```
public ConfigRedactor(Configuration conf) {
String sensitiveRegexList = conf.get(
HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS,
HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT);
List<String> sensitiveRegexes =
Arrays.asList(StringUtils.getTrimmedStrings(sensitiveRegexList));
compiledPatterns = new ArrayList<Pattern>();
for (String regex : sensitiveRegexes) {
Pattern p = Pattern.compile(regex);
compiledPatterns.add(p);
}
}
public static final String HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT =
String.join(",",
"secret$",
"password$",
"username$",
"ssl.keystore.pass$",
"fs.s3.*[Ss]ecret.?[Kk]ey",
"fs.s3a.*.server-side-encryption.key",
"fs.s3a.encryption.algorithm",
"fs.s3a.encryption.key",
"fs.azure\\.account.key.*",
"credential$",
"oauth.*secret",
"oauth.*password",
"oauth.*token",
HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS);
```
> Router Page display the db username and password in mask mode
> -------------------------------------------------------------
>
> Key: YARN-11308
> URL: https://issues.apache.org/jira/browse/YARN-11308
> Project: Hadoop YARN
> Issue Type: Bug
> Components: federation
> Affects Versions: 3.4.0
> Reporter: fanshilun
> Assignee: fanshilun
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2022-09-19-17-33-44-585.png,
> image-2022-09-19-17-35-02-471.png
>
>
> When using YRAN-Federation's SQLFederationStateStore, we need to configure
> yarn.federation.state-store.sql.username,
> yarn.federation.state-store.sql.password in the configuration file, When
> viewing Conf on the Router page, the user name and password are displayed in
> plaintext, which will bring security risks. We should display it in the form
> of a mask.
>
> before fixing
> {code:java}
> <property>
> <name>yarn.federation.state-store.sql.username</name>
> <value>federation</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property>
> <property>
> <name>yarn.federation.state-store.sql.password</name>
> <value>federation123</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property> {code}
> after fixing
> {code:java}
> <property>
> <name>yarn.federation.state-store.sql.username</name>
> <value>******</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property>
> <property>
> <name>yarn.federation.state-store.sql.password</name>
> <value>******</value>
> <final>false</final>
> <source>yarn-site.xml</source>
> </property> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
