incubator-ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Wagle (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-2174) Eliminate cleartext LDAPS credentials from Ambari props files
Date Tue, 21 May 2013 05:39:17 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-2174?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Siddharth Wagle updated AMBARI-2174:
------------------------------------

    Description: 
Observations:

- Currently we use the Java Keystore for storing server and agent SSL certificates. The keystore
is a storage facility for cryptographic keys and certificates and is guarded by a password.
Presently what we do is generate a random 50 character long alphanumeric keystore password,
the first time ambari starts with permissions 644. (should be 600)
{noformat}
-rw-r--r--. 1 root root   50 May 13 13:49 pass.txt
{noformat}

- Database password in ambari.properties, this is not clear text and is store in a file with
appropriate ACL.
{noformat}
-rw-------. 1 root root 7 May 13 13:49 /etc/ambari-server/conf/password.dat
{noformat}

Need to discuss the flow of enabling LDAP access to Ambari in order to suggest a flexible
approach.

Important considerations:
- Any cryptographic technique that requires encryption and decryption has understood weakness
that the private key is protected by the appropriate ACL. Even if we encrypt passwords in
the configuration files, the key used for achieving the encryption needs to be protected.
- One decent solution is, prompt the user for a passphrase and use the non-invertible secure
digest (such as sha-1) of the password to lock the keystore. This same password can be used
to encrypt LDAP credentials. In this approach we need to prompt the admin to provide the LDAP
password when configuring a LDAP user for the first time and then write the encrypted password
into the configuration file. Alternately, we can ask for the same during ambari-server setup,
but that would be less flexible.

  was:
Observations:

- Currently we use the Java Keystore for storing server and agent SSL certificates. The keystore
is a storage facility for cryptographic keys and certificates and is guarded by a password.
Presently what we do is generate a random 50 character long alphanumeric keystore password,
the first time ambari starts with permissions 644. (should be 600)
{noformat}
-rw-r--r--. 1 root root   50 May 13 13:49 pass.txt
{noformat}

- Database password in ambari.properties, this is not clear text and is store in a file with
appropriate ACL.
{noformat}
-rw-------. 1 root root 7 May 13 13:49 /etc/ambari-server/conf/password.dat
{noformat}

[~jeff] Need to discuss the flow of enabling LDAP access to Ambari in order to suggest a flexible
approach.

Important considerations:
- Any cryptographic technique that requires encryption and decryption has understood weakness
that the private key is protected by the appropriate ACL. Even if we encrypt passwords in
the configuration files, the key used for achieving the encryption needs to be protected.
- One decent solution is, prompt the user for a passphrase and use the non-invertible secure
digest (such as sha-1) of the password to lock the keystore. This same password can be used
to encrypt LDAP credentials. In this approach we need to prompt the admin to provide the LDAP
password when configuring a LDAP user for the first time and then write the encrypted password
into the configuration file. Alternately, we can ask for the same during ambari-server setup,
but that would be less flexible.

    
> Eliminate cleartext LDAPS credentials from Ambari props files
> -------------------------------------------------------------
>
>                 Key: AMBARI-2174
>                 URL: https://issues.apache.org/jira/browse/AMBARI-2174
>             Project: Ambari
>          Issue Type: Task
>          Components: agent, controller
>    Affects Versions: 1.2.5
>            Reporter: Siddharth Wagle
>            Assignee: Siddharth Wagle
>             Fix For: 1.2.5
>
>
> Observations:
> - Currently we use the Java Keystore for storing server and agent SSL certificates. The
keystore is a storage facility for cryptographic keys and certificates and is guarded by a
password.
> Presently what we do is generate a random 50 character long alphanumeric keystore password,
the first time ambari starts with permissions 644. (should be 600)
> {noformat}
> -rw-r--r--. 1 root root   50 May 13 13:49 pass.txt
> {noformat}
> - Database password in ambari.properties, this is not clear text and is store in a file
with appropriate ACL.
> {noformat}
> -rw-------. 1 root root 7 May 13 13:49 /etc/ambari-server/conf/password.dat
> {noformat}
> Need to discuss the flow of enabling LDAP access to Ambari in order to suggest a flexible
approach.
> Important considerations:
> - Any cryptographic technique that requires encryption and decryption has understood
weakness that the private key is protected by the appropriate ACL. Even if we encrypt passwords
in the configuration files, the key used for achieving the encryption needs to be protected.
> - One decent solution is, prompt the user for a passphrase and use the non-invertible
secure digest (such as sha-1) of the password to lock the keystore. This same password can
be used to encrypt LDAP credentials. In this approach we need to prompt the admin to provide
the LDAP password when configuring a LDAP user for the first time and then write the encrypted
password into the configuration file. Alternately, we can ask for the same during ambari-server
setup, but that would be less flexible.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message