Sahara

GET /job-executions/{id} returns credentials

Bug #1273661 reported by Matthew Farrellee
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
High
Trevor McKay
Sahara 2014.1 "icehouse"

Bug Description

the credentials used during the job execution are readily available in the representation of the job-execution transmitted from the service

Revision history for this message
Matthew Farrellee (mattf) wrote :

NOTE - the python-savannaclient filters out the credentials before displaying them, that code can be removed when this is fixed.

Alexander Ignatov (aignatov)
Changed in savanna:
status: New → Confirmed
importance: Undecided → High
milestone: none → icehouse-3
Sergey Lukjanov (slukjanov)
Changed in savanna:
assignee: nobody → Trevor McKay (tmckay)
Revision history for this message
Trevor McKay (tmckay) wrote :

I'm assuming we're talking about the swift credentials here in the configs, which are copied from the data source(s)?
For example

{
    "job_execution": {
        "cluster_id": "7ed1c016-a8a3-4209-9931-6e80f58eea80",
        "created_at": "2014-02-14 17:46:56.631209",
        "extra": {},
        "id": "1b0b1874-a261-4d1f-971a-a2cebadeba6c",
        "info": {
            "status": "Pending"
        },
        "input_id": "b5ddde55-594e-428f-9040-028be81eb3c2",
        "job_configs": {
            "args": [
                "bob",
                "bill"
            ],
            "configs": {
                "fs.swift.service.savanna.password": "openstack",
                "fs.swift.service.savanna.username": "admin"
            }
        },
        "job_id": "d0f3e397-7bef-42f9-a4db-e5a96059246e",
        "output_id": "f4993830-aa97-4b0b-914a-ab6430f742b6",
        "tenant_id": "6b859fb8d1f44e8eafdfb91f21309b5f"
    }
}

Sergey Lukjanov (slukjanov)
Changed in savanna:
milestone: icehouse-3 → icehouse-rc1
Revision history for this message
Sergey Lukjanov (slukjanov) wrote :

Trevor, yup.

Sergey Lukjanov (slukjanov)
Changed in sahara:
status: Confirmed → Triaged
Trevor McKay (tmckay)
Changed in sahara:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara (master)

Fix proposed to branch: master
Review: https://review.openstack.org/82883

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/82883
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=fc6431730398fcd20f1d80a74483cd8cddf24eed
Submitter: Jenkins
Branch: master

commit fc6431730398fcd20f1d80a74483cd8cddf24eed
Author: Trevor McKay <email address hidden>
Date: Tue Mar 25 13:25:04 2014 -0400

    Filter 'fields' from JobExecutions returned from REST api

    The 'job_configs' field will contain swift credentials used by Hadoop
    when running jobs that use swift data sources. The 'extra' field may
    contain a token for use with neutron.

    The current filtering mechanism in Sahara allows filtering fields by name,
    but it's not set up to support programmatic filtering of things which
    can be variable. It may not be necessary to filter out 'job_configs'
    entirely from a security perspective, but there currently is no other
    option when a field might or might not contain particular values.

    Additionally, sensitive information could potentially be passed in 'args'
    within 'job_configs' and it is impossible to know anything about the
    content of that field.

    Closes-Bug: #1273661
    Change-Id: Idb2e68a2d42e45bab04c62c740cbbaf5e51b2719

Changed in sahara:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in sahara:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in sahara:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.