[jira] [Commented] (SENTRY-486) Add database password obfuscation support for sentry-site.xml

Tue, 04 Nov 2014 16:02:44 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14197174#comment-14197174
 ] 

Mike Yoder commented on SENTRY-486:
-----------------------------------

I confess I don't understand your comment about solving the same problem at 
different levels - don't they solve the exact same problem: getting clear text 
passwords out of config files?

I also don't understand your reference to the hive metastore.

What I think we ought to avoid are several different mechanisms in the hadoop 
ecosystem to get passwords out of config files. It makes it harder for users to 
configure, and more work for those who want to provide a uniform interface for 
this ability across components.  

While your approach does seem reasonable to my eyes, I think the 
CredentialProvider beat you to it.  Like I said, I was planning on taking a 
close look at this very issue on Thursday and Friday of this week; I'll be able 
to talk more intelligently about it after that.

> Add database password obfuscation support for sentry-site.xml
> -------------------------------------------------------------
>
>                 Key: SENTRY-486
>                 URL: https://issues.apache.org/jira/browse/SENTRY-486
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 1.4.0
>            Reporter: Tuong Truong
>            Assignee: Tuong Truong
>              Labels: security
>         Attachments: SENTRY-486-0.patch
>
>   Original Estimate: 16h
>  Remaining Estimate: 16h
>
> Currently, the db store database password is in plain-text in the 
> sentry-site.xml file.  This is a security issue.  We need to be able to 
> support encrypted password in the config file.
> We plan to add a couple of property into the sentry-site.xml file.  So in 
> addition to the existing:
>   <property>
>     <name>sentry.store.jdbc.user</name>
>     <value>sentry</value>
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password</name>
>     <value>test</value>
>   </property>
> we propose to add:
>   <property>
>     <name>sentry.store.jdbc.password.encrypted</name>
>     <value>true</value>   // This indicate to Sentry that the password is 
> encrypted -   Default = false
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password.cryptor</name>
>     <value>org.test.decryptor</value>  // This is the class needed to use to 
> decrypt the password
>   </property>
> Sentry will invoke the decrypt() method on org.test.decryptor to obtain the 
> decrypted password to configure DataNucleus.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to