How are the Ambari-2.2.1.1 local accounts protected, such as "admin"? What about all the various component's configuration data managed by Ambari-2.2.1.1?
ANSWER:
Ambari local account credentials
These are stored in the Ambari database as the SHA256 hash of the (randomly salted) password.
Service configuration password properties
These are stored in the Ambari database in blobs of JSON-formatted data in plaintext.
When returned via API calls, the properties marked as passwords are masked and not displayed as plaintext.
When sent to the agents, they are stored in plaintext in the command.json files stored in /var/lib/ambari-agent/data (readable only by root and the user that executes ambari-agent).
Ambari-specific database and ldap credentials
These are stored in plaintext in the ambari.properities file by default but can be encrypted via ambari-server setup-security.
If encrypted, they are stored in a Java Keystore implementation (JCEKS) which uses 3DES in CBC mode with PKCS #5 padding to encrypt its keys. The master key for this keystore is either stored in plaintext on the Ambari server host, or query for when Ambari is started.