Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

How do you mask passwords for xml files in HDP?

avatar
author-rank cspencer
Expert Contributor

Created ‎05-06-2016 10:58 PM

How can we mask passwords on xml configuration files in HDP for instance, the ranger-policymgr-ssl.xml file?

3,472 Views
1 ACCEPTED SOLUTION

avatar
author-rank amiller
Guru

Created ‎05-10-2016 07:06 PM

Unfortunately an application that uses a credential store will always need at least one cleartext password so it can unlock that credential store. This can be hardcoded into the binary or stored in a file. The ranger-policymgr-ssl.xml files contain the passwords to unlock the keystore and truststore used by Ranger agents. Obviously this file should be secured with the minimal permissions necessary.

Other passwords in Ranger config files are stored in a credential store (jceks file), so they don't show up in plaintext in the configs. The credential stores typically use the default keystore password, so the files themselves should still be protected by appropriate file permissions.

(thanks to @lmccay for clarifying the last part for me)

View solution in original post

2,849 Views
2 REPLIES 2

avatar
author-rank tsaito
Expert Contributor

Created ‎05-09-2016 06:04 PM

Not for ranger, but for hive, you can remove password from hive-site.xml by following the below:

https://cwiki.apache.org/confluence/display/Hive/AdminManual+Configuration

2,849 Views

avatar
author-rank amiller
Guru

Created ‎05-10-2016 07:06 PM

Unfortunately an application that uses a credential store will always need at least one cleartext password so it can unlock that credential store. This can be hardcoded into the binary or stored in a file. The ranger-policymgr-ssl.xml files contain the passwords to unlock the keystore and truststore used by Ranger agents. Obviously this file should be secured with the minimal permissions necessary.

Other passwords in Ranger config files are stored in a credential store (jceks file), so they don't show up in plaintext in the configs. The credential stores typically use the default keystore password, so the files themselves should still be protected by appropriate file permissions.

(thanks to @lmccay for clarifying the last part for me)

2,850 Views
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements