[
https://issues.apache.org/jira/browse/BEAM-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796985#comment-16796985
]
Ismaël Mejía commented on BEAM-6292:
------------------------------------
[~mblmat] Am I misreading this issue? I have the impression that this does not
really improve the security at all, the password decrypter is still serialized
(so available if someone wants to decrypt it and hack the service). Also it
should not be Beam responsability to deal with the decryption of the password
(Does Casandra have something to do this?), also if the connection is encrypted
there should not be anyone in the middle. Additionally it adds extra complexity
to the IO (two password methods) that don't add much. I think I am going to
revert this change save if you have a strong argument to keep it.
> PasswordDecrypter: Delay decryption / Avoid serialization
> ---------------------------------------------------------
>
> Key: BEAM-6292
> URL: https://issues.apache.org/jira/browse/BEAM-6292
> Project: Beam
> Issue Type: Improvement
> Components: io-java-cassandra
> Reporter: Mathieu Blanchard
> Assignee: Mathieu Blanchard
> Priority: Minor
> Labels: triaged
> Fix For: 2.12.0
>
> Time Spent: 10h 40m
> Remaining Estimate: 0h
>
> Currently, the password is decrypted before the serialization of the pipeline
> and this causes the raw version to be visible to everyone on the staging
> location.
> To avoid this, we delayed the decryption of the password when connecting to
> the cluster, which ensures that the raw password is never serialized in the
> pipeline.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
