[
https://issues.apache.org/jira/browse/HADOOP-10428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13960256#comment-13960256
]
Benoy Antony commented on HADOOP-10428:
---------------------------------------
Regarding #1, strings are immutable and hence they remain in memory until its
garbage collected. So if someone can access/dump memory during that window,
they can get to the password. char[] can be cleared by overwriting it after
use.
I did not understand the binary data issue. Wouldn't char[] and _String_ same
in terms of handling the binary data ?
Regarding #2, Thanks [~lmccay] for the explanation. If I understood it
correctly, one password for all key stores seems the intent and is not in the
scope of this jira. I'll file separate jira to see if it needs to made more
general.
> JavaKeyStoreProvider should accept keystore password via configuration
> falling back to ENV VAR
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-10428
> URL: https://issues.apache.org/jira/browse/HADOOP-10428
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-10428.patch, HADOOP-10428.patch,
> HADOOP-10428.patch
>
>
> Currently the password for the {{JavaKeyStoreProvider}} must be set in an ENV
> VAR.
> Allowing the password to be set via configuration enables applications to
> interactively ask for the password before initializing the
> {{JavaKeyStoreProvider}}.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
