You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Mike Yoder (JIRA)" <ji...@apache.org> on 2014/11/04 23:13:34 UTC
[jira] [Commented] (SENTRY-486) Add database password obfuscation
support for sentry-site.xml
[ https://issues.apache.org/jira/browse/SENTRY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196943#comment-14196943 ]
Mike Yoder commented on SENTRY-486:
-----------------------------------
Interesting approach.
Have you considered using the CredentialProvider, from HADOOP-10904? I haven't played with it myself, but I believe that it solves the same problem. We might not want to re-invent another solution. I was actually going to look into the CredentialProvider myself later this week. :-)
Your thoughts?
-Mike
> Add database password obfuscation support for sentry-site.xml
> -------------------------------------------------------------
>
> Key: SENTRY-486
> URL: https://issues.apache.org/jira/browse/SENTRY-486
> Project: Sentry
> Issue Type: Improvement
> Affects Versions: 1.4.0
> Reporter: Tuong Truong
> Assignee: Tuong Truong
> Labels: security
> Attachments: SENTRY-486-0.patch
>
> Original Estimate: 16h
> Remaining Estimate: 16h
>
> Currently, the db store database password is in plain-text in the sentry-site.xml file. This is a security issue. We need to be able to support encrypted password in the config file.
> We plan to add a couple of property into the sentry-site.xml file. So in addition to the existing:
> <property>
> <name>sentry.store.jdbc.user</name>
> <value>sentry</value>
> </property>
> <property>
> <name>sentry.store.jdbc.password</name>
> <value>test</value>
> </property>
> we propose to add:
> <property>
> <name>sentry.store.jdbc.password.encrypted</name>
> <value>true</value> // This indicate to Sentry that the password is encrypted - Default = false
> </property>
> <property>
> <name>sentry.store.jdbc.password.cryptor</name>
> <value>org.test.decryptor</value> // This is the class needed to use to decrypt the password
> </property>
> Sentry will invoke the decrypt() method on org.test.decryptor to obtain the decrypted password to configure DataNucleus.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)