Major Description
Following passwords are currently visible in the instrumentation log, REST endpoints, WebUI, and CLI (WebUI and CLI simply call the REST endpoints):
- javax.net.ssl.trustStorePassword
- oozie.https.keystore.pass
- HADOOP_CREDSTORE_PASSWORD
- OOZIE_HTTPS_KEYSTORE_PASSWORD
- OOZIE_HTTPS_TRUSTSTORE_PASSWORD
There are a few examples that illustrate password leakage.
# grep -i pass /var/log/oozie/oozie-instrumentation.log
OOZIE_HTTPS_TRUSTSTORE_PASSWORD = password
javax.net.ssl.trustStorePassword = password
oozie.https.keystore.pass = password
HADOOP_CREDSTORE_PASSWORD = password
OOZIE_HTTPS_KEYSTORE_PASSWORD = password
CATALINA_OPTS = -Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh -Doozie.home.dir=/usr/lib/oozie -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER -Doozie.log.dir=/var/log/oozie -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log -Doozie.instance.id=nightly-1.gce.cloudera.com -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks -Djavax.net.ssl.trustStorePassword=password
Oozie dumps the env vars and Java sys props to the instrumentation log on startup.
# curl --negotiate -u foo:bar -k https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/os-env | python -m json.tool | grep -i pass
"CATALINA_OPTS": "-Xms603979776 -Xmx603979776 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/OOZIE-1_OOZIE-1-OOZIE_SERVER-2e75cc1293d9058eef7250a18f347c43_pid30867.hprof -XX:OnOutOfMemoryError=/usr/lib64/cmf/service/common/killparent.sh -Doozie.home.dir=/usr/lib/oozie -Doozie.config.dir=/var/run/cloudera-scm-agent/process/320-oozie-OOZIE_SERVER -Doozie.log.dir=/var/log/oozie -Doozie.log.file=oozie-cmf-OOZIE-1-OOZIE_SERVER-nightly-1.gce.cloudera.com.log.out -Doozie.config.file=oozie-site.xml -Doozie.log4j.file=log4j.properties -Doozie.log4j.reload=10 -Doozie.http.hostname=nightly-1.gce.cloudera.com -Doozie.http.port=11000 -Djava.net.preferIPv4Stack=true -Doozie.admin.port=11001 -Dderby.stream.error.file=/var/log/oozie/derby.log -Doozie.instance.id=nightly-1.gce.cloudera.com -Djava.library.path=/usr/lib/hadoop/lib/native -Doozie.https.port=11443 -Djavax.net.ssl.trustStore=/etc/cdep-ssl-conf/CA_STANDARD/truststore.jks -Djavax.net.ssl.trustStorePassword=password ",
"HADOOP_CREDSTORE_PASSWORD": "password",
"OOZIE_HTTPS_KEYSTORE_PASSWORD": "password",
"OOZIE_HTTPS_TRUSTSTORE_PASSWORD": "password",
# curl --negotiate -u foo:bar -k https://nightly-1.gce.cloudera.com:11443/oozie/v2/admin/java-sys-properties | python -m json.tool | grep -i pass
"javax.net.ssl.trustStorePassword": "password",
"oozie.https.keystore.pass": "password",
The REST API has two endpoints, admin/os-env and admin/java-sys-properties, which are also available in the Web UI and CLI. These expose the env vars and Java sys props too.
We should mask these like we do for the configuration endpoint.