HADOOP-14241. Add ADLS sensitive config keys to default list. Contributed by John Zhuge.

(cherry picked from commit 6865746ea4)
2017-04-19 22:24:33 -07:00 · 2017-04-19 22:24:33 -07:00 · 28f0de875d
parent e813110734
commit 28f0de875d
4 changed files with 42 additions and 12 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfigRedactor.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/ConfigRedactor.java
@ -42,7 +42,8 @@ public class ConfigRedactor {
    String sensitiveRegexList = conf.get(
        HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS,
        HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT);
-    List<String> sensitiveRegexes = Arrays.asList(sensitiveRegexList.split(","));
+    List<String> sensitiveRegexes =
+        Arrays.asList(sensitiveRegexList.trim().split("[,\\s]+"));
    compiledPatterns = new ArrayList<Pattern>();
    for (String regex : sensitiveRegexes) {
      Pattern p = Pattern.compile(regex);
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java
@ -18,10 +18,13 @@

 package org.apache.hadoop.fs;

+import java.util.Arrays;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.crypto.JceAesCtrCryptoCodec;
 import org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec;
+import org.apache.hadoop.util.StringUtils;

 /** 
 * This class contains constants for configuration keys used
@ -737,12 +740,14 @@ public class CommonConfigurationKeysPublic {
  public static final String HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS =
      "hadoop.security.sensitive-config-keys";
  public static final String HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT =
-      "secret$" + "," +
-      "password$" + "," +
-      "ssl.keystore.pass$" + "," +
-      "fs.s3.*[Ss]ecret.?[Kk]ey" + "," +
-      "fs.azure\\.account.key.*" + "," +
-      "dfs.webhdfs.oauth2.[a-z]+.token" + "," +
-      HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS;
+      StringUtils.join(",", Arrays.asList(
+          "secret$",
+          "password$",
+          "ssl.keystore.pass$",
+          "fs.s3.*[Ss]ecret.?[Kk]ey",
+          "fs.azure\\.account.key.*",
+          "credential$",
+          "oauth.*token$",
+          HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS));
 }

--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@ -432,9 +432,18 @@

 <property>
  <name>hadoop.security.sensitive-config-keys</name>
-  <value>secret$,password$,ssl.keystore.pass$,fs.s3.*[Ss]ecret.?[Kk]ey,fs.azure.account.key.*,dfs.webhdfs.oauth2.[a-z]+.token,hadoop.security.sensitive-config-keys</value>
-  <description>A comma-separated list of regular expressions to match against
-      configuration keys that should be redacted where appropriate, for
+  <value>
+      secret$
+      password$
+      ssl.keystore.pass$
+      fs.s3.*[Ss]ecret.?[Kk]ey
+      fs.azure.account.key.*
+      credential$
+      oauth.*token$
+      hadoop.security.sensitive-config-keys
+  </value>
+  <description>A comma-separated or multi-line list of regular expressions to
+      match configuration keys that should be redacted where appropriate, for
      example, when logging modified properties during a reconfiguration,
      private credentials should not be logged.
  </description>
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfigRedactor.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/conf/TestConfigRedactor.java
@ -34,15 +34,30 @@ public class TestConfigRedactor {
  private static final String ORIGINAL_VALUE = "Hello, World!";

  @Test
-  public void redact() throws Exception {
+  public void testRedactWithCoreDefault() throws Exception {
    Configuration conf = new Configuration();
+    testRedact(conf);
+  }
+
+  @Test
+  public void testRedactNoCoreDefault() throws Exception {
+    Configuration conf = new Configuration(false);
+    testRedact(conf);
+  }
+
+  private void testRedact(Configuration conf) throws Exception {
    ConfigRedactor redactor = new ConfigRedactor(conf);
    String processedText;

    List<String> sensitiveKeys = Arrays.asList(
        "fs.s3a.secret.key",
+        "fs.s3a.bucket.BUCKET.secret.key",
        "fs.s3n.awsSecretKey",
        "fs.azure.account.key.abcdefg.blob.core.windows.net",
+        "fs.adl.oauth2.refresh.token",
+        "fs.adl.oauth2.credential",
+        "dfs.adls.oauth2.refresh.token",
+        "dfs.adls.oauth2.credential",
        "dfs.webhdfs.oauth2.access.token",
        "dfs.webhdfs.oauth2.refresh.token",
        "ssl.server.keystore.keypassword",