You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flume.apache.org by adenes <gi...@git.apache.org> on 2016/10/25 15:35:38 UTC

[GitHub] flume pull request #82: [WIP] Proof of concept for a generic password provid...

GitHub user adenes opened a pull request:

    https://github.com/apache/flume/pull/82

    [WIP] Proof of concept for a generic password provider

    One of the main security concerns regarding Flume is that currently passwords can only be set in plain text in the config file. I have a proof-of-concept to overcome this limitation with an extensible password provider.
    
    The core of the solution is the `PasswordProvider` interface which has a default implementation (`PlainTextPasswordProvider`) which returns the value of the given key, thus taking care of backwards compatibility.
    The other implementation is the `ExternalProcessPasswordProvider` which executes the configured command and returns its output.
    
    Usage example can be seen in the `AvroSource` (see the 2nd commit of this PR):
    ```diff
    - keystorePassword = context.getString(KEYSTORE_PASSWORD_KEY);
    + keystorePassword = PasswordConfigurator.getPassword(context, KEYSTORE_PASSWORD_KEY);
    ```
    
    **Example configuration to use the `ExternalProcessPasswordProvider`:**
    ```
    ...
    a.sources.avro.keystore-password.passwordProviderClass=org.apache.flume.conf.ExternalProcessPasswordProvider
    a.sources.avro.keystore-password.command=get_avro_keystore_password.sh
    ...
    ```
    
    **Example configuration with no `passwordProviderClass` set:**
    ```
    ...
    a.sources.avro.keystore-password=SecretPassword
    ...
    ```
    
    As no `passwordProviderClass` is set in this example the default `PlainTextPasswordProvider` is used which returns the value of `a.sources.avro.keystore-password`.
    
    ---
    
    _Note: this is still a work in progress, I wanted to sketch up my idea. Any questions/comments/suggestions are more than welcome._

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/adenes/flume password-provider

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flume/pull/82.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #82
    
----
commit 85f96a6e7a660e14b2fe1d2aaceb6021395249df
Author: Denes Arvay <de...@cloudera.com>
Date:   2016-10-25T12:15:11Z

    add generic PasswordProvider
    
    Change-Id: I28a11ccbeb3bd19f8de14c66d4cf47dc6e1c7969

commit b64a7ddca1b00df303c64a237adbb0a1008cf739
Author: Denes Arvay <de...@cloudera.com>
Date:   2016-10-25T13:01:54Z

    use PasswordConfigurator.getPassword in AvroSource
    
    Change-Id: I0dadcb576c9b9eefb557cb8e111cb899cd415c0e

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---