Community Articles

QUESTION:

How are the Ambari-2.2.1.1 local accounts protected, such as "admin"? What about all the various component's configuration data managed by Ambari-2.2.1.1?

ANSWER:

Ambari local account credentials

• These are stored in the Ambari database as the SHA256 hash of the (randomly salted) password.

Service configuration password properties

• These are stored in the Ambari database in blobs of JSON-formatted data in plaintext.
• When returned via API calls, the properties marked as passwords are masked and not displayed as plaintext.
• When sent to the agents, they are stored in plaintext in the command.json files stored in /var/lib/ambari-agent/data (readable only by root and the user that executes ambari-agent).

Ambari-specific database and ldap credentials

• These are stored in plaintext in the ambari.properities file by default but can be encrypted via ambari-server setup-security.
• If encrypted, they are stored in a Java Keystore implementation (JCEKS) which uses 3DES in CBC mode with PKCS #5 padding to encrypt its keys. The master key for this keystore is either stored in plaintext on the Ambari server host, or query for when Ambari is started.