[jira] [Commented] (SENTRY-486) Add database password obfuscation support for sentry-site.xml

Mon, 10 Nov 2014 14:59:18 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14205485#comment-14205485
 ] 

Tuong Truong commented on SENTRY-486:
-------------------------------------

Thank you, Mike [~yoderme] for the detailed info  on CredentialProvider.  I 
totally agree with yours, and Lenni's points on using a common API; especially 
when it's at the Hadoop common layer.  For the issue that this JIRA originally 
raises, using CredentialProvider is the best option.    No worries, Mike. If 
it's the right thing to do for the project, I am all for it :)).

I will need to look into using customized CredentialProvider to provide more 
flexible password management option for only selective components.  

> Add database password obfuscation support for sentry-site.xml
> -------------------------------------------------------------
>
>                 Key: SENTRY-486
>                 URL: https://issues.apache.org/jira/browse/SENTRY-486
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 1.4.0
>            Reporter: Tuong Truong
>            Assignee: Tuong Truong
>              Labels: security
>         Attachments: SENTRY-486-0.patch, SENTRY-486-1.patch
>
>   Original Estimate: 16h
>  Remaining Estimate: 16h
>
> Currently, the db store database password is in plain-text in the 
> sentry-site.xml file.  This is a security issue.  We need to be able to 
> support encrypted password in the config file.
> We plan to add a couple of property into the sentry-site.xml file.  So in 
> addition to the existing:
>   <property>
>     <name>sentry.store.jdbc.user</name>
>     <value>sentry</value>
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password</name>
>     <value>test</value>
>   </property>
> we propose to add:
>   <property>
>     <name>sentry.store.jdbc.password.encrypted</name>
>     <value>true</value>   // This indicate to Sentry that the password is 
> encrypted -   Default = false
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password.cryptor</name>
>     <value>org.test.decryptor</value>  // This is the class needed to use to 
> decrypt the password
>   </property>
> Sentry will invoke the decrypt() method on org.test.decryptor to obtain the 
> decrypted password to configure DataNucleus.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to