roryqi opened a new issue, #10415:
URL: https://github.com/apache/gravitino/issues/10415
### Describe the proposal
Problem
Currently, Gravitino lacks a centralized and secure system for managing
credentials (e.g., passwords, access keys, tokens) needed to connect to and
interact with underlying data sources (like RDBMS, data lakes, message queues).
This leads to:
Security Risks: Credentials may be stored in plaintext within catalog
properties or configuration files.
Operational Overhead: Manual credential rotation is cumbersome and
error-prone across multiple catalogs.
Lack of Audit Trail: No centralized way to track who accessed or modified
which credential.
Goal
Integrate a secure Credential Vault​ into Gravitino to centrally store,
manage, and automatically inject credentials for catalog connections and other
internal operations.
Core Requirements
Secure Storage: Support integration with external secret managers (e.g.,
HashiCorp Vault, AWS Secrets Manager, KMS) as backends. Provide a secure
internal storage option for simplicity.
Lifecycle Management: APIs/UI to create, read, update, rotate, and delete
credentials.
Catalog Integration: Allow catalog properties to reference a credential
stored in the vault (e.g., password: {{vault://my-secret/password}}) instead of
containing the actual secret value.
Access Control: Fine-grained access control to determine which
users/principals can read or manage specific credentials.
Audit Logging: All access and modifications to credentials must be logged.
### Task list
- [ ]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
