[
https://issues.apache.org/jira/browse/BEAM-6292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16797002#comment-16797002
]
Mathieu Blanchard commented on BEAM-6292:
-----------------------------------------
[~iemejia] Currently, the password is decrypted before the serialization of the
pipeline and this causes the raw version to be visible to everyone on the
staging location (e.g. Google Compute Storage).
To avoid this, we delayed the decryption of the password when connecting to the
cluster, which ensures that the raw password is never serialized in the
pipeline (n.b. In our case, we use Google KMS to decrypt Cassandra's password).
Clearly the connection is encrypted and it's not the Beam responsability to
decrypt the password, therefore we use KMS to do that. The only point that we
are trying to fix is to not expose the raw version of the password, on the
staging location or anywhere.
> PasswordDecrypter: Delay decryption / Avoid serialization
> ---------------------------------------------------------
>
> Key: BEAM-6292
> URL: https://issues.apache.org/jira/browse/BEAM-6292
> Project: Beam
> Issue Type: Improvement
> Components: io-java-cassandra
> Reporter: Mathieu Blanchard
> Assignee: Mathieu Blanchard
> Priority: Minor
> Labels: triaged
> Fix For: 2.12.0
>
> Time Spent: 10h 40m
> Remaining Estimate: 0h
>
> Currently, the password is decrypted before the serialization of the pipeline
> and this causes the raw version to be visible to everyone on the staging
> location.
> To avoid this, we delayed the decryption of the password when connecting to
> the cluster, which ensures that the raw password is never serialized in the
> pipeline.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
