HBASE-27320 hide some sensitive configuration information in the UI (#…

…4723) Co-authored-by: huiruan <[email protected]> Signed-off-by: Tak Lon (Stephen) Wu <[email protected]> Signed-off-by: Duo Zhang <[email protected]>
apache · Aug 24, 2022 · b4e5875 · b4e5875
1 parent f9ea7ee
commit b4e5875
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/conf/ConfServlet.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/conf/ConfServlet.java
@@ -19,6 +19,8 @@
 
 import java.io.IOException;
 import java.io.Writer;
+import java.util.List;
+import java.util.Map;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -28,6 +30,8 @@
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.yetus.audience.InterfaceStability;
 
+import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableList;
+
 /**
  * A servlet to print out the running configuration data.
  */
@@ -39,6 +43,9 @@ public class ConfServlet extends HttpServlet {
   private static final String FORMAT_JSON = "json";
   private static final String FORMAT_XML = "xml";
   private static final String FORMAT_PARAM = "format";
+  private static final List<String> MASK_PROPERTIES =
+    ImmutableList.of("password", "secret", "superuser");
+  static final String MASKED = "<masked>";
 
   /**
    * Return the Configuration of the daemon hosting this servlet. This is populated when the
@@ -83,15 +90,30 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
    */
   static void writeResponse(Configuration conf, Writer out, String format)
     throws IOException, BadFormatException {
+    Configuration maskedConf = mask(conf);
     if (FORMAT_JSON.equals(format)) {
-      Configuration.dumpConfiguration(conf, out);
+      Configuration.dumpConfiguration(maskedConf, out);
     } else if (FORMAT_XML.equals(format)) {
-      conf.writeXml(out);
+      maskedConf.writeXml(out);
     } else {
       throw new BadFormatException("Bad format: " + format);
     }
   }
 
+  static Configuration mask(Configuration conf) {
+    Configuration maskedConf = new Configuration(conf);
+    for (Map.Entry<String, String> entry : maskedConf) {
+      String key = entry.getKey();
+      for (String maskProperty : MASK_PROPERTIES) {
+        if (key.toLowerCase().contains(maskProperty)) {
+          maskedConf.set(key, MASKED);
+          break;
+        }
+      }
+    }
+    return maskedConf;
+  }
+
   public static class BadFormatException extends Exception {
     private static final long serialVersionUID = 1L;
 

diff --git a/hbase-http/src/test/java/org/apache/hadoop/hbase/http/conf/TestConfServlet.java b/hbase-http/src/test/java/org/apache/hadoop/hbase/http/conf/TestConfServlet.java
@@ -113,6 +113,15 @@ public void testWriteXml() throws Exception {
     assertTrue(foundSetting);
   }
 
+  @Test
+  public void testMask() {
+    final String passwordKey = "hbase.rpc.tls.keystore.password";
+    Configuration conf = getTestConf();
+    conf.set(passwordKey, "MyPassword");
+    Configuration maskedConf = ConfServlet.mask(conf);
+    assertEquals(ConfServlet.MASKED, maskedConf.get(passwordKey));
+  }
+
   @Test
   public void testBadFormat() throws Exception {
     StringWriter sw = new StringWriter();