Community Articles
Find and share helpful community-sourced technical articles
Labels (1)
Contributor

QUESTION:

How are the Ambari-2.2.1.1 local accounts protected, such as "admin"? What about all the various component's configuration data managed by Ambari-2.2.1.1?

ANSWER:

Ambari local account credentials

  • These are stored in the Ambari database as the SHA256 hash of the (randomly salted) password.

Service configuration password properties

  • These are stored in the Ambari database in blobs of JSON-formatted data in plaintext.
  • When returned via API calls, the properties marked as passwords are masked and not displayed as plaintext.
  • When sent to the agents, they are stored in plaintext in the command.json files stored in /var/lib/ambari-agent/data (readable only by root and the user that executes ambari-agent).

Ambari-specific database and ldap credentials

  • These are stored in plaintext in the ambari.properities file by default but can be encrypted via ambari-server setup-security.
  • If encrypted, they are stored in a Java Keystore implementation (JCEKS) which uses 3DES in CBC mode with PKCS #5 padding to encrypt its keys. The master key for this keystore is either stored in plaintext on the Ambari server host, or query for when Ambari is started.
682 Views
Don't have an account?
Version history
Revision #:
1 of 1
Last update:
‎05-17-2016 01:06 PM
Updated by:
Contributor vxu
 
Contributors
Top Kudoed Authors