hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13923) Allow changing password on JavaKeyStoreProvider generated keystores
Date Tue, 20 Dec 2016 06:26:58 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Xiao Chen updated HADOOP-13923:
    Attachment: HADOOP-13923.01.patch

Attaching patch 1, to allow using keytool to change the key password. This is implemented
in a backwards-compatible way.

The reason to choose keytool is as follows:
- One can already use keytool to change the keystore password. Supporting keytool to change
the password is more intuitive.
- Also to the intuitive point: currently when trying to change the key password using keytool,
an error is shown: {{keytool error: java.security.UnrecoverableKeyException: unexpected block
data}}. An user has to way to figure this out without looking at hadoop code.
- An alternative is let the JKSProvider to support it - by either add an interface, which
pollutes the KeyProvider interface, or add a configuration and change the password on startup,
which is nasty and hard to maintain.
- If an older version keystore exists and user wants to change its password, he/she can upgrade
to the new version of hadoop, {{getMetadata}} on all keys (so that they're in cache), then
trigger a {{flush}}. This will make the keys stored as the new format. (Manually tested, overwhelmed
to unit test IMHO)

> Allow changing password on JavaKeyStoreProvider generated keystores 
> --------------------------------------------------------------------
>                 Key: HADOOP-13923
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13923
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13923.01.patch
> {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage. Although we
have different fall backs in {{ProviderUtils#locatePassword}} to specify the keystore password,
it appears the password itself can never be changed after generation.
> This jira is to make it possible to change the keystore password.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message