[ 
https://issues.apache.org/jira/browse/FLUME-2442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16372597#comment-16372597
 ] 

Hudson commented on FLUME-2442:
-------------------------------

UNSTABLE: Integrated in Jenkins build Flume-trunk-hbase-1 #341 (See 
[https://builds.apache.org/job/Flume-trunk-hbase-1/341/])
FLUME-2442 Need an alternative to providing clear text passwords in (denes: 
[http://git-wip-us.apache.org/repos/asf/flume/repo?p=flume.git&a=commit&h=beb11e5988b9306eb6e211e0149d65f96d481b0f])
* (add) flume-ng-configfilters/pom.xml
* (edit) flume-ng-doc/sphinx/FlumeUserGuide.rst
* (add) 
flume-ng-configfilters/flume-ng-external-process-config-filter/src/test/java/org/apache/flume/configfilter/TestExternalProcessConfigFilter.java
* (edit) pom.xml
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/source/jms/JMSSourceConfiguration.java
* (add) 
flume-ng-configfilters/flume-ng-external-process-config-filter/src/main/java/org/apache/flume/configfilter/ExternalProcessConfigFilter.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/source/SourceType.java
* (add) 
flume-ng-configfilters/flume-ng-config-filter-api/src/main/java/org/apache/flume/configfilter/AbstractConfigFilter.java
* (add) 
flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/src/test/resources/test-password.txt
* (add) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/ComponentWithClassName.java
* (add) 
flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/src/main/java/org/apache/flume/configfilter/HadoopCredentialStoreConfigFilter.java
* (edit) flume-ng-configuration/pom.xml
* (edit) flume-ng-dist/pom.xml
* (add) 
flume-ng-configfilters/flume-ng-external-process-config-filter/src/test/resources/test_error.sh
* (edit) 
flume-ng-tests/src/test/java/org/apache/flume/test/util/StagedInstall.java
* (add) flume-ng-configfilters/flume-ng-config-filter-api/pom.xml
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/TestFlumeConfigurationConfigFilter.java
* (add) 
flume-ng-configfilters/flume-ng-config-filter-api/src/main/java/org/apache/flume/configfilter/ConfigFilter.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/channel/ChannelConfiguration.java
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/configfilter/EnvironmentVariableConfigFilterConfiguration.java
* (add) 
flume-ng-configfilters/flume-ng-external-process-config-filter/src/test/resources/test.sh
* (add) 
flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/pom.xml
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/channel/ChannelType.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/sink/SinkProcessorType.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/sink/SinkGroupConfiguration.java
* (add) flume-ng-configfilters/flume-ng-external-process-config-filter/pom.xml
* (add) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/configfilter/ConfigFilterConfiguration.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/sink/SinkType.java
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/channel/MemoryChannelConfiguration.java
* (add) 
flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/src/test/resources/test-password2.txt
* (add) 
flume-ng-configfilters/flume-ng-environment-variable-config-filter/src/main/java/org/apache/flume/configfilter/EnvironmentVariableConfigFilter.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/FlumeConfiguration.java
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/configfilter/MockConfigFilter.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/ComponentConfigurationFactory.java
* (edit) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/TestFlumeConfiguration.java
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/TestAgentConfiguration.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/channel/ChannelSelectorType.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/sink/SinkProcessorConfiguration.java
* (edit) flume-ng-auth/pom.xml
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/channel/ChannelSelectorConfiguration.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/BasicConfigurationConstants.java
* (add) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/configfilter/ConfigFilterType.java
* (add) 
flume-ng-configfilters/flume-ng-environment-variable-config-filter/pom.xml
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/source/SourceConfiguration.java
* (add) 
flume-ng-configuration/src/test/java/org/apache/flume/conf/sink/NullSinkConfiguration.java
* (add) 
flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/src/test/java/org/apache/flume/configfilter/TestHadoopCredentialStoreConfigFilter.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/sink/SinkConfiguration.java
* (add) 
flume-ng-configfilters/flume-ng-environment-variable-config-filter/src/test/java/org/apache/flume/configfilter/TestEnvironmentVariableConfigFilter.java
* (edit) flume-ng-tests/pom.xml
* (add) 
flume-ng-tests/src/test/java/org/apache/flume/test/agent/TestConfigFilters.java
* (add) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/ConfigFilterFactory.java
* (edit) flume-ng-configuration/src/main/java/org/apache/flume/Context.java
* (edit) 
flume-ng-configuration/src/main/java/org/apache/flume/conf/ComponentConfiguration.java


> Need an alternative to providing clear text passwords in flume config
> ---------------------------------------------------------------------
>
>                 Key: FLUME-2442
>                 URL: https://issues.apache.org/jira/browse/FLUME-2442
>             Project: Flume
>          Issue Type: Bug
>          Components: Sinks+Sources
>    Affects Versions: 1.5.0.1
>            Reporter: Roshan Naik
>            Assignee: Venkat Ranganathan
>            Priority: Major
>              Labels: Security
>             Fix For: 1.9.0
>
>         Attachments: FLUME-2442.patch.7, FLUME-2442.patch.9, 
> FLUME-2442.v1.patch, FLUME-2442.v2.patch, FLUME-2442.v3.patch, 
> FLUME-2442.v4.patch, FLUME-2442.v5.patch
>
>
> For some sources and sinks, currently, passwords to keystores/other are 
> specified in clear text in the flume config file.   Since flume config files 
> are often easily accessible to a broader audience (like in source control for 
> instance), the visibility of these passwords can be too much and risky for 
> institutions where security is too critical (like banks) 
> To help address this visibility issue it would be desirable to do the 
> following two things :
> 1) Store the password in a separate file and provide the path of that 
> password file in the flume config. this will enable the flume config to be 
> shared with a wider audience and reduce risk. the password file will need to 
> be very tightly guarded. Some components like file channel & JMS source 
> already do this. 
> 2) As an additional measure, obfuscate the password in the external password 
> file. A simple command line tool can be used to generate the obfuscated 
> password file. Flume source/sink configuration will read the password file 
> and de-obfuscate the password before using it to access the keystore. This 
> obfuscation step IMO is nice but unclear to me if it is essential.
> The following Sources and Sinks appear to use inline cleartext passwords:
> - Avro Source
> - Avro sink
> - HTTP(S) source 
> - File Channel
> - JMS Source
> JDBC channel also uses inline passwords but i am not aware of anybody who 
> uses JDBC channel. So it may not be an issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@flume.apache.org
For additional commands, e-mail: issues-h...@flume.apache.org

Reply via email to