[
https://issues.apache.org/jira/browse/HADOOP-10428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13960168#comment-13960168
]
Larry McCay commented on HADOOP-10428:
--------------------------------------
Hi Benoy - #2 is an interesting point. I view the client side password
configuration as the master password for the keystores available to that
client. For instance, a particular tenant perhaps based on role would have
access any number of keystores within the cluster deployment. Having to provide
the password for those keystores is sufficient, in my mind, since the file
permissions on the store itself should additional protect access to the
protected keys. This is in line with the intent of the environment variable
specification of the master password. In other words, the password is tied to
the client rather than individual keystores. The passwords for individual
passwords are more aligned with their file permissions than being based on
their own identities/URIs.
> JavaKeyStoreProvider should accept keystore password via configuration
> falling back to ENV VAR
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-10428
> URL: https://issues.apache.org/jira/browse/HADOOP-10428
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-10428.patch, HADOOP-10428.patch,
> HADOOP-10428.patch
>
>
> Currently the password for the {{JavaKeyStoreProvider}} must be set in an ENV
> VAR.
> Allowing the password to be set via configuration enables applications to
> interactively ask for the password before initializing the
> {{JavaKeyStoreProvider}}.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
