You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Mike Yoder (JIRA)" <ji...@apache.org> on 2014/11/04 23:13:34 UTC

[jira] [Commented] (SENTRY-486) Add database password obfuscation support for sentry-site.xml

    [ https://issues.apache.org/jira/browse/SENTRY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196943#comment-14196943 ] 

Mike Yoder commented on SENTRY-486:
-----------------------------------

Interesting approach.  

Have you considered using the CredentialProvider, from HADOOP-10904?  I haven't played with it myself, but I believe that it solves the same problem.  We might not want to re-invent another solution.  I was actually going to look into the CredentialProvider myself later this week. :-)

Your thoughts?
-Mike

> Add database password obfuscation support for sentry-site.xml
> -------------------------------------------------------------
>
>                 Key: SENTRY-486
>                 URL: https://issues.apache.org/jira/browse/SENTRY-486
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 1.4.0
>            Reporter: Tuong Truong
>            Assignee: Tuong Truong
>              Labels: security
>         Attachments: SENTRY-486-0.patch
>
>   Original Estimate: 16h
>  Remaining Estimate: 16h
>
> Currently, the db store database password is in plain-text in the sentry-site.xml file.  This is a security issue.  We need to be able to support encrypted password in the config file.
> We plan to add a couple of property into the sentry-site.xml file.  So in addition to the existing:
>   <property>
>     <name>sentry.store.jdbc.user</name>
>     <value>sentry</value>
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password</name>
>     <value>test</value>
>   </property>
> we propose to add:
>   <property>
>     <name>sentry.store.jdbc.password.encrypted</name>
>     <value>true</value>   // This indicate to Sentry that the password is encrypted -   Default = false
>   </property>
>   <property>
>     <name>sentry.store.jdbc.password.cryptor</name>
>     <value>org.test.decryptor</value>  // This is the class needed to use to decrypt the password
>   </property>
> Sentry will invoke the decrypt() method on org.test.decryptor to obtain the decrypted password to configure DataNucleus.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)