[jira] [Commented] (HADOOP-13923) Allow changing password on JavaKeyStoreProvider generated keystores

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767874#comment-15767874
 ] 

Larry McCay commented on HADOOP-13923:
--------------------------------------

bq. Also, keytool comes with standard jdk, and changing keystore/key password 
are its standard features. Currently the former is fine and the latter is 
broken because the way we handle Metadata in hadoop JKSP, and I don't see any 
benefit of keeping this behavior.

Changing the keystore and key passwords are certainly standard features but 
only an extremely small subset of the keytool features. Keytool itself cannot 
be used to add arbitrary keys to keystores. It has only implemented enough to 
do the PKI keypairs. Encouraging the use of keytool for such a small subset of 
commands seems like it will create user issues where folks try and do more with 
it. Our use of JCEKS for the KeyProvider API is a Hadoop proprietary 
implementation. One day, keytool will have full support for PKS12 keystores 
where we can add arbitrary keys to it in a "standard" way. Hopefully by then we 
have a better implementation than a keystore anyway.

I am concerned about backward compatibility and of having to support two 
separate ways to handle the metadata just to allow keytool to be used to change 
the password.

Since we did expose the fact that some key providers require a password - I 
would much rather see a change-password command added to the key shell that can 
be used for only providers that "needsPassword".


> Allow changing password on JavaKeyStoreProvider generated keystores 
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13923
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13923
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13923.01.patch
>
>
> {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage. 
> Although we have different fall backs in {{ProviderUtils#locatePassword}} to 
> specify the keystore password, it appears the password itself can never be 
> changed after generation.
> This jira is to make it possible to change the keystore password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org