[ACCUMULO-489] Input Format puts Base64 encoded passwords in Configuration, which is world readable - ASF JIRA

Agile Board

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.5-incubating, 1.4.0
Fix Version/s: 1.4.1
Component/s: client
Labels:
- security

Description

This has been a known issue, but I think it's about time we address it. Whena user sets up a mapreduce, they set their password in the configuration (Base64 encoded). This configuration is world readable, meaning passwords are out there in cleartext. We need a mechanism in place to try to keep this data private.

In hadoop 0.20.203, the private distributed cache was implemented. Any file placed in the distributed cache which is not world readable/not in folders world executable automatically get placed in the private distributed cache. The protection mechanism is simply being in the tasktracker's local directory under a folder for the user with restricted permissions. This should be adequate for protecting a users Accumulo password. So this should be as simple as checking the set/getPassword functions to utilize this space rather than the configuration.

Attachments

Issue Links

relates to

ACCUMULO-829 Input Format puts passwords in Configuration, which is world readable

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: John Vines

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 22/Mar/12 10:51

Updated:: 18/Apr/13 20:14

Resolved:: 16/May/12 12:23

Agile

View on Board

Input Format puts Base64 encoded passwords in Configuration, which is world readable