Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-16810

Ambari Agent security bypassed in Python=>2.7.9

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.4.0
    • None
    • None

    Description

      We hard-coded the Ambari Agents to ignore certification
      verification. But the reason why this was required was Python be un-secure by
      default:
      <https://access.redhat.com/articles/2039753>
      <https://www.python.org/dev/peps/pep-0476/>

      That method will cause signed certificates to not serve any purpose & is
      discouraged by RedHat & Python security experts:

      > "It is also possible, though highly discouraged , to globally disable
      verification by monkeypatching the ssl module in versions of Python"

      Instead we should abstract it to a setting (e.g. ssl_verify_cert) in the
      ambari-agent.ini such that users can turn certification verification if they
      provide a signed/trusted certificate.

      Attachments

        1. AMBARI-16810.patch
          4 kB
          Andrew Onischuk

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. AMBARI-22135 Ambari Agent security bypassed in =>python-2.7.5-58.el7.x86_64.rpm

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link ReviewBoard

          Activity

            People

              aonishuk Andrew Onischuk
              aonishuk Andrew Onischuk
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: