New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] AMBARI-25043. Sensitive Ambari configuration values are encrypted in Ambari Server DB #2742
Conversation
Refer to this link for build results (access rights to CI server needed): |
@@ -64,5 +73,38 @@ protected String getValue(String propertyName, Map<String, String> configuration | |||
return defaultValue; | |||
} | |||
} | |||
|
|||
/** | |||
* @return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's remove or populate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add the missing JavaDoc; thanks for pointing out.
|
||
@Override | ||
public void decryptSensitiveData(AmbariServerConfiguration decryptible) { | ||
decryptible.toMap().entrySet().stream().filter(f -> passwordConfigurations.contains(f.getKey())).filter(f -> isEncryptedPassword(f.getValue())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about making this code multi-line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine by me; let me submit a new patchset soon
…tests in the commit
Refer to this link for build results (access rights to CI server needed): |
…Ambari Server DB (apache#2742)
What changes were proposed in this pull request?
Ambari configuration value types are defined in
org.apache.ambari.server.configuration.AmbariServerConfigurationKey.
Sensitive properties have property type oforg.apache.ambari.server.configuration.ConfigurationPropertyType#PASSWORD
.Using this information, if this feature is enabled, the Ambari server should encrypt sensitive values before storing them in the
ambari_configuration
table in the Ambari DB.The Ambari server should encrypt sensitive configuration values if the following has been met:
ambari-server setup-security
CLI (using option # 2 - Encrypt passwords stored in ambari.properties file)security.server.encrypt_sensitive_data
is set totrue
WIP: the API still return the encrypted form; I'm not sure if this needs to be changed...
How was this patch tested?
Updated unit tests and they passed:
In addition to uni tests the following steps have been done to check if everything works as expected:
setupSecurity.py
and the generated JAR then restarted the server and the agentsambari-server setup-ldap
(some attributes are changed in the below sample such as server name, etc...)