[jira] [Commented] (DRILL-7547) More secure storage for mongodb credentials

Fri, 28 Feb 2020 09:12:40 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-7547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17047804#comment-17047804
 ] 

ASF GitHub Bot commented on DRILL-7547:
---------------------------------------

dobesv commented on issue #2001: DRILL-7547: Support credentials store for 
mongo connections
URL: https://github.com/apache/drill/pull/2001#issuecomment-592610782
 
 
   > 1. What happens if the user has multiple mongo storage plugins?  Are the 
creds carried over to all of them?  If a user specifies creds in the storage 
plugin config does it overwrite the config file?
   
   The configuration key is based on the plugin name, actually.  `mongo` is the 
default name for the storage plugin, but if you had another one named 
`mongo-prod` you would set `drill.exec.store.mongo-prod.username`.
   
   If the connection string already has credentials, this will not replace them.
   
   > 2. This isn't for this PR, but would it make sense for us to do this for 
other storage plugins that are not likely to have multiple instances?  Kudu, 
HBase or Hive for instance?
   
   I think it is an OK approach for any plugin that has credentials currently 
stored in ZooKeeper.  Note that the key I use is based on the plugin's name so 
you can setup multiple.
   
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> More secure storage for mongodb credentials
> -------------------------------------------
>
>                 Key: DRILL-7547
>                 URL: https://issues.apache.org/jira/browse/DRILL-7547
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Storage - MongoDB
>    Affects Versions: 1.17.0
>            Reporter: Dobes Vandermeer
>            Assignee: Dobes Vandermeer
>            Priority: Major
>             Fix For: 1.18.0
>
>
> Currently you can sort of "hide" S3 AWS credentials in core-site.xml, but for 
> the mongodb connection the username and password are accessible from the Web 
> UI, API, and ZooKeeper API because it is placed in the configuration for the 
> storage plugin.
> I wonder if it would be possible to store the username and password used for 
> mongodb connection in a more secure manner, maybe it could be encrypted when 
> you first save it, then even if you look at the configuration for the mongodb 
> storage plugin via the ZooKeeper API you cannot extract the username and 
> password.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to