[
https://issues.apache.org/jira/browse/SENTRY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14205016#comment-14205016
]
Mike Yoder commented on SENTRY-486:
-----------------------------------
I spent last Thursday and Friday working with the CredentialProvider code.
It's new enough upstream that it's not in any release yet. I back-ported the
changes containing it into the hadoop code base, and successfully made calls
into it from Sentry code. All one-off stuff, but I learned a lot.
>From Sentry code, all that's required is literally a one-line change. This:
{noformat}
conf.get("config.value.containing.password");
{noformat}
Becomes this:
{noformat}
conf.getPassword("config.value.containing.password");
{noformat}
The magic is in the config file, of course. You have to tell it what
CredentialProvider to use. Example:
{noformat}
hadoop.security.credential.provider.path = jceks://file/full/path/to/creds.jceks
{noformat}
Upstream code has one already-implemented provider, the java keystore provider.
It puts the passwords in one password-protected file, which is described above
in the jceks:// URI.
The password for that file can itself live in a file or in an environment
variable
{noformat}
hadoop.security.credstore.java-keystore-provider.password-file = …
or
environment variable HADOOP_CREDSTORE_PASSWORD
{noformat}
And you can tell it whether or not to fall back to using the regular cleartext
password in the config file:
{noformat}
hadoop.security.credential.clear-text-fallback = (true|false)
{noformat}
Of course, anyone implementing the CredentialProvider interface can
interoperate with this mechanism, making it fully pluggable.
There is also a CredentialShell command line interface that can be used to
get/set/list passwords.
It looks to me to be entirely possible to hook this interface into whatever
password management system you desire; I think it meets the requirements you
mentioned a few comments back. All you need is a custom CredentialProvider.
I believe that we should utilize this CredentialProvider work.
* Unification of password management mechanisms across hadoop
* No duplication of code
* It's an existing, tested interface
* Interface is pluggable
* It's the same mechanism that Hive already uses
The only downside, really, is that we have to be patient and wait for the
CredentialProvider code to make it into a release where we can use it. This
shouldn't take that long, however.
I've got nothing at all against your implementation. Really. It's just that
the CredentialProvider got there first and is beginning to be adopted by other
projects. Adding another way to deal with passwords would be confusing for our
users.
-Mike
> Add database password obfuscation support for sentry-site.xml
> -------------------------------------------------------------
>
> Key: SENTRY-486
> URL: https://issues.apache.org/jira/browse/SENTRY-486
> Project: Sentry
> Issue Type: Improvement
> Affects Versions: 1.4.0
> Reporter: Tuong Truong
> Assignee: Tuong Truong
> Labels: security
> Attachments: SENTRY-486-0.patch, SENTRY-486-1.patch
>
> Original Estimate: 16h
> Remaining Estimate: 16h
>
> Currently, the db store database password is in plain-text in the
> sentry-site.xml file. This is a security issue. We need to be able to
> support encrypted password in the config file.
> We plan to add a couple of property into the sentry-site.xml file. So in
> addition to the existing:
> <property>
> <name>sentry.store.jdbc.user</name>
> <value>sentry</value>
> </property>
> <property>
> <name>sentry.store.jdbc.password</name>
> <value>test</value>
> </property>
> we propose to add:
> <property>
> <name>sentry.store.jdbc.password.encrypted</name>
> <value>true</value> // This indicate to Sentry that the password is
> encrypted - Default = false
> </property>
> <property>
> <name>sentry.store.jdbc.password.cryptor</name>
> <value>org.test.decryptor</value> // This is the class needed to use to
> decrypt the password
> </property>
> Sentry will invoke the decrypt() method on org.test.decryptor to obtain the
> decrypted password to configure DataNucleus.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
