Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.conf;
020
021import java.util.ArrayList;
022import java.util.Arrays;
023import java.util.List;
024import java.util.regex.Pattern;
025
026import static org.apache.hadoop.fs.CommonConfigurationKeys.*;
027
028/**
029 * Tool for redacting sensitive information when displaying config parameters.
030 *
031 * <p>Some config parameters contain sensitive information (for example, cloud
032 * storage keys). When these properties are displayed in plaintext, we should
033 * redactor their values as appropriate.
034 */
035public class ConfigRedactor {
036
037  private static final String REDACTED_TEXT = "<redacted>";
038
039  private List<Pattern> compiledPatterns;
040
041  public ConfigRedactor(Configuration conf) {
042    String sensitiveRegexList = conf.get(
043        HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS,
044        HADOOP_SECURITY_SENSITIVE_CONFIG_KEYS_DEFAULT);
045    List<String> sensitiveRegexes = Arrays.asList(sensitiveRegexList.split(","));
046    compiledPatterns = new ArrayList<Pattern>();
047    for (String regex : sensitiveRegexes) {
048      Pattern p = Pattern.compile(regex);
049      compiledPatterns.add(p);
050    }
051  }
052
053  /**
054   * Given a key / value pair, decides whether or not to redact and returns
055   * either the original value or text indicating it has been redacted.
056   *
057   * @param key
058   * @param value
059   * @return Original value, or text indicating it has been redacted
060   */
061  public String redact(String key, String value) {
062    if (configIsSensitive(key)) {
063      return REDACTED_TEXT;
064    }
065    return value;
066  }
067
068  /**
069   * Matches given config key against patterns and determines whether or not
070   * it should be considered sensitive enough to redact in logs and other
071   * plaintext displays.
072   *
073   * @param key
074   * @return True if parameter is considered sensitive
075   */
076  private boolean configIsSensitive(String key) {
077    for (Pattern regex : compiledPatterns) {
078      if (regex.matcher(key).find()) {
079        return true;
080      }
081    }
082    return false;
083  }
084}