[
https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872723#comment-15872723
]
Xiao Chen commented on HADOOP-13923:
------------------------------------
Hi [~lmccay],
Thanks for the earlier discussions again. Looking at this again 'soon' after
last comment, and I'm still reluctant to add a {{changePassword}} API, for the
following reasons.
- Adding such an API to KeyProvider makes sense in general. But to make it work
with a {{JavaKeyStoreProvider}}, besides {{KeyShell}}, we also need to change
the KMS which is what uses it now. For KMS, we'll need to add that interface
all the way from {{KMSClientProvider}} to {{KMS}} server, where the
communication is via http rest api. Although all communications are supposed to
be encrypted, this poses new security risks..
- Also need carefully add a new KMS ACL to control this {{changePassword}}
operation, complicating the already complex KMS ACLs. KMS ACLs now all have 2
levels: kms level and key level. This new operation is only kms level but not
key level, further complicating things.
- Real production keystores shouldn't be JKSP, so the KMS rest api should not
be used. But simply being there is a confusion, and if some admin mistakenly
called that api with a password, they may leak sensitive information.
- Current patch doesn't have compatibility issue, because it falls back to the
old format.
- Idea on adding a {{move}} functionality to migrate keyprovider works, and I
like that idea. :) But feels this is a parallel feature. From admin's POV,
changing a keystore password would then require to: setup a new keyprovider
service, migrate, change all client configs to point to the new keyprovider.
I think we can document hard that jksp isn't supposed to be used anywhere
outside of dev/poc, to discourage its use... and use this patch to let who's
running on jksp change there password to something other than the default
'none'.
Thoughts?
> Allow changing password on JavaKeyStoreProvider generated keystores
> --------------------------------------------------------------------
>
> Key: HADOOP-13923
> URL: https://issues.apache.org/jira/browse/HADOOP-13923
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HADOOP-13923.01.patch
>
>
> {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage.
> Although we have different fall backs in {{ProviderUtils#locatePassword}} to
> specify the keystore password, it appears the password itself can never be
> changed after generation.
> This jira is to make it possible to change the keystore password.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
