Uploaded image for project: 'Hue'
  1. Hue
  2. HUE-8376

JDBC interpreter's user credential shown in `Server Logs` tab of Admin tools

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.2.0
    • Fix Version/s: None
    • Component/s: core.users
    • Labels:
      None
    • Environment:

      HUE 4.2.0 + LDAPs JDBC

      Description

      When saving a notebook with JDBC interpreter with user authentication (e.g. LDAPs), "Server Logs" (Wrap logs turned on) tab in the admin tools will show sensitive user credential (username's password) of this JDBC connection in plain text. This sensitive information should be redacted or removed while logging, although those DEBUG-level messages are in-memory of server logs (cannot find any sensitive information in /var/log/hue/*.log) and it shows up for a very short period of time where only admin user can see it.

       

      [13/Jun/2018 22:04:57 -0700] java_gateway DEBUG Answer received: yro1
      [13/Jun/2018 22:04:57 -0700] java_gateway DEBUG Command to send: c
      z:java.sql.DriverManager
      getConnection
      sjdbc:presto://locahost:443/hive/default?SSL=true&SSLTrustStorePath=/home/wutaklon/truststore.jks&SSLTrustStorePassword=testing321
      swutaklon
      stesting321
      e

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              wutaklon TAKLON STEPHEN WU
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: