[AMBARI-12227] Kerberos Wizard: temporarily stores admin principal / password in browser's local storage - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.1.1
Component/s: ambari-web
Labels:
None

Description

Kerberos admin credentials are stored in the browser's local storage in plain text during Enable Kerberos Wizard. This is blown away when the user exits the wizard or on log out.
However, if there is a chance for an attacker without proper Ambari credentials to look at the Kerberos credentials. For example, the admin can launch Enable Kerberos Wizard and enters Kerberos admin credentials on the 2nd page, and goes forward. At this point, Kerberos admin crendentials are stored in browser's local storage. If the user walks away from his desk, the other user can look in the browser developer tools to find the Kerberos admin principal and password.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-12227.patch
30/Jun/15 22:37
5 kB
Richard Zang

Issue Links

links to

Review Board

Activity

People

Assignee:: Richard Zang

Reporter:: Richard Zang

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 30/Jun/15 22:24

Updated:: 21/Jul/15 22:42

Resolved:: 21/Jul/15 19:40