You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2017/02/17 23:22:44 UTC
[jira] [Commented] (HADOOP-13923) Allow changing password on
JavaKeyStoreProvider generated keystores
[ https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872723#comment-15872723 ]
Xiao Chen commented on HADOOP-13923:
------------------------------------
Hi [~lmccay],
Thanks for the earlier discussions again. Looking at this again 'soon' after last comment, and I'm still reluctant to add a {{changePassword}} API, for the following reasons.
- Adding such an API to KeyProvider makes sense in general. But to make it work with a {{JavaKeyStoreProvider}}, besides {{KeyShell}}, we also need to change the KMS which is what uses it now. For KMS, we'll need to add that interface all the way from {{KMSClientProvider}} to {{KMS}} server, where the communication is via http rest api. Although all communications are supposed to be encrypted, this poses new security risks..
- Also need carefully add a new KMS ACL to control this {{changePassword}} operation, complicating the already complex KMS ACLs. KMS ACLs now all have 2 levels: kms level and key level. This new operation is only kms level but not key level, further complicating things.
- Real production keystores shouldn't be JKSP, so the KMS rest api should not be used. But simply being there is a confusion, and if some admin mistakenly called that api with a password, they may leak sensitive information.
- Current patch doesn't have compatibility issue, because it falls back to the old format.
- Idea on adding a {{move}} functionality to migrate keyprovider works, and I like that idea. :) But feels this is a parallel feature. From admin's POV, changing a keystore password would then require to: setup a new keyprovider service, migrate, change all client configs to point to the new keyprovider.
I think we can document hard that jksp isn't supposed to be used anywhere outside of dev/poc, to discourage its use... and use this patch to let who's running on jksp change there password to something other than the default 'none'.
Thoughts?
> Allow changing password on JavaKeyStoreProvider generated keystores
> --------------------------------------------------------------------
>
> Key: HADOOP-13923
> URL: https://issues.apache.org/jira/browse/HADOOP-13923
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HADOOP-13923.01.patch
>
>
> {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage. Although we have different fall backs in {{ProviderUtils#locatePassword}} to specify the keystore password, it appears the password itself can never be changed after generation.
> This jira is to make it possible to change the keystore password.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org