Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 860EA200C2D for ; Sat, 18 Feb 2017 01:22:51 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 84BC0160B6D; Sat, 18 Feb 2017 00:22:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D38B3160B57 for ; Sat, 18 Feb 2017 01:22:50 +0100 (CET) Received: (qmail 64443 invoked by uid 500); 18 Feb 2017 00:22:50 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 64432 invoked by uid 99); 18 Feb 2017 00:22:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Feb 2017 00:22:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6EEA5183A68 for ; Sat, 18 Feb 2017 00:22:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.199 X-Spam-Level: X-Spam-Status: No, score=-1.199 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 4Yuq1GzAXMVg for ; Sat, 18 Feb 2017 00:22:48 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 3872C5F3BC for ; Sat, 18 Feb 2017 00:22:48 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D682FE0811 for ; Sat, 18 Feb 2017 00:22:44 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 32D2A24121 for ; Sat, 18 Feb 2017 00:22:44 +0000 (UTC) Date: Sat, 18 Feb 2017 00:22:44 +0000 (UTC) From: "Larry McCay (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-13923) Allow changing password on JavaKeyStoreProvider generated keystores MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sat, 18 Feb 2017 00:22:51 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872788#comment-15872788 ] Larry McCay commented on HADOOP-13923: -------------------------------------- In general, I agree that it is not worth the trouble to add the change password API. I don't exactly agree on the following statements through. bq. Idea on adding a move functionality to migrate keyprovider works, and I like that idea. But feels this is a parallel feature. From admin's POV, changing a keystore password would then require to: setup a new keyprovider service, migrate, change all client configs to point to the new keyprovider. You don't have to change client configs if you just rename the keystore. :) bq. I think we can document hard that jksp isn't supposed to be used anywhere outside of dev/poc, to discourage its use... and use this patch to let who's running on jksp change there password to something other than the default 'none'. I disagree here. It is perfectly legitimate to use a java keystore provider but folks should be aware of the details of doing so. Just as in the use of the same for the Credential Provider API, the keystore password is only a formality of persistence. The actual protection of the key is in the proper use of file permissions. I wouldn't be opposed to describing the use of KMS as a stronger option and describe why this is so in a similar set of docs. The following documentation attempts to communicate these details with enough fidelity to make an informed decision for credential provider approaches: http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html#Credential_Management See the provider types and then the keystore management sections. Pursuing proper Key Provider API documentation is certainly worth doing. > Allow changing password on JavaKeyStoreProvider generated keystores > -------------------------------------------------------------------- > > Key: HADOOP-13923 > URL: https://issues.apache.org/jira/browse/HADOOP-13923 > Project: Hadoop Common > Issue Type: Improvement > Components: kms > Affects Versions: 2.6.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-13923.01.patch > > > {{JavaKeyStoreProvider}} generates a jceks keystore file for key storage. Although we have different fall backs in {{ProviderUtils#locatePassword}} to specify the keystore password, it appears the password itself can never be changed after generation. > This jira is to make it possible to change the keystore password. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org