[HBASE-27320] hide some sensitive configuration information in the UI - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-3
Fix Version/s: 2.6.0, 2.5.1, 3.0.0-alpha-4, 2.4.15
Component/s: security, UI
Labels:
None

Hadoop Flags:

Reviewed
Release Note:
hide superuser and password related settings in the configuration UI

Description

In the discussion about how to store keystore/truststore password securely, bbeaudreault mentioned and I quote here

"I agree that it seems insecure to put it directly into the hbase-site.xml. Another reason is due to the RS UI which (helpfully) can print the entire site configuration. We’d need to make sure the password is excluded from that, but better to remove it from site xml altogether".

I also felt that some sensitive information was exposed in the UI, for example, if we set superuser in the hbase-site.xml, the non-admin users can obtain superuser information and simulate superuser to perform some non-permitted operations on the cluster. So I think maybe we should hide these sensitive information in the UI.

Attachments

Issue Links

links to

GitHub Pull Request #4723

Activity

People

Assignee:: ruanhui

Reporter:: ruanhui

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 23/Aug/22 17:09

Updated:: 02/Sep/22 15:32

Resolved:: 24/Aug/22 07:21