[ https://issues.apache.org/jira/browse/HADOOP-10428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13960168#comment-13960168 ]
Larry McCay commented on HADOOP-10428: -------------------------------------- Hi Benoy - #2 is an interesting point. I view the client side password configuration as the master password for the keystores available to that client. For instance, a particular tenant perhaps based on role would have access any number of keystores within the cluster deployment. Having to provide the password for those keystores is sufficient, in my mind, since the file permissions on the store itself should additional protect access to the protected keys. This is in line with the intent of the environment variable specification of the master password. In other words, the password is tied to the client rather than individual keystores. The passwords for individual passwords are more aligned with their file permissions than being based on their own identities/URIs. > JavaKeyStoreProvider should accept keystore password via configuration > falling back to ENV VAR > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-10428 > URL: https://issues.apache.org/jira/browse/HADOOP-10428 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 3.0.0 > Reporter: Alejandro Abdelnur > Assignee: Alejandro Abdelnur > Attachments: HADOOP-10428.patch, HADOOP-10428.patch, > HADOOP-10428.patch > > > Currently the password for the {{JavaKeyStoreProvider}} must be set in an ENV > VAR. > Allowing the password to be set via configuration enables applications to > interactively ask for the password before initializing the > {{JavaKeyStoreProvider}}. -- This message was sent by Atlassian JIRA (v6.2#6252)