[jira] [Updated] (HADOOP-13923) Allow changing password on JavaKeyStoreProvider generated keystores

Mon, 19 Dec 2016 22:27:07 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-13923:
-------------------------------
    Attachment: HADOOP-13923.01.patch

Attaching patch 1, to allow using keytool to change the key password. This is 
implemented in a backwards-compatible way.

The reason to choose keytool is as follows:
- One can already use keytool to change the keystore password. Supporting 
keytool to change the password is more intuitive.
- Also to the intuitive point: currently when trying to change the key password 
using keytool, an error is shown: {{keytool error: 
java.security.UnrecoverableKeyException: unexpected block data}}. An user has 
to way to figure this out without looking at hadoop code.
- An alternative is let the JKSProvider to support it - by either add an 
interface, which pollutes the KeyProvider interface, or add a configuration and 
change the password on startup, which is nasty and hard to maintain.
- If an older version keystore exists and user wants to change its password, 
he/she can upgrade to the new version of hadoop, {{getMetadata}} on all keys 
(so that they're in cache), then trigger a {{flush}}. This will make the keys 
stored as the new format. (Manually tested, overwhelmed to unit test IMHO)

> Allow changing password on JavaKeyStoreProvider generated keystores 
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13923
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13923
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13923.01.patch
>
>
> {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage. 
> Although we have different fall backs in {{ProviderUtils#locatePassword}} to 
> specify the keystore password, it appears the password itself can never be 
> changed after generation.
> This jira is to make it possible to change the keystore password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to