Details
-
Type: Improvement
-
Status: Closed
-
Priority: Major
-
Resolution: Incomplete
-
Affects Version/s: 4.2.0
-
Fix Version/s: None
-
Component/s: core.users
-
Labels:None
-
Environment:
HUE 4.2.0 + LDAPs JDBC
Description
When saving a notebook with JDBC interpreter with user authentication (e.g. LDAPs), "Server Logs" (Wrap logs turned on) tab in the admin tools will show sensitive user credential (username's password) of this JDBC connection in plain text. This sensitive information should be redacted or removed while logging, although those DEBUG-level messages are in-memory of server logs (cannot find any sensitive information in /var/log/hue/*.log) and it shows up for a very short period of time where only admin user can see it.
[13/Jun/2018 22:04:57 -0700] java_gateway DEBUG Answer received: yro1
[13/Jun/2018 22:04:57 -0700] java_gateway DEBUG Command to send: c
z:java.sql.DriverManager
getConnection
sjdbc:presto://locahost:443/hive/default?SSL=true&SSLTrustStorePath=/home/wutaklon/truststore.jks&SSLTrustStorePassword=testing321
swutaklon
stesting321
e