Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How do you mask passwords for xml files in HDP?

Solved Go to solution
Highlighted

How do you mask passwords for xml files in HDP?

Contributor

How can we mask passwords on xml configuration files in HDP for instance, the ranger-policymgr-ssl.xml file?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How do you mask passwords for xml files in HDP?

Unfortunately an application that uses a credential store will always need at least one cleartext password so it can unlock that credential store. This can be hardcoded into the binary or stored in a file. The ranger-policymgr-ssl.xml files contain the passwords to unlock the keystore and truststore used by Ranger agents. Obviously this file should be secured with the minimal permissions necessary.

Other passwords in Ranger config files are stored in a credential store (jceks file), so they don't show up in plaintext in the configs. The credential stores typically use the default keystore password, so the files themselves should still be protected by appropriate file permissions.

(thanks to @lmccay for clarifying the last part for me)

View solution in original post

2 REPLIES 2
Highlighted

Re: How do you mask passwords for xml files in HDP?

Rising Star

Not for ranger, but for hive, you can remove password from hive-site.xml by following the below:

https://cwiki.apache.org/confluence/display/Hive/AdminManual+Configuration

Re: How do you mask passwords for xml files in HDP?

Unfortunately an application that uses a credential store will always need at least one cleartext password so it can unlock that credential store. This can be hardcoded into the binary or stored in a file. The ranger-policymgr-ssl.xml files contain the passwords to unlock the keystore and truststore used by Ranger agents. Obviously this file should be secured with the minimal permissions necessary.

Other passwords in Ranger config files are stored in a credential store (jceks file), so they don't show up in plaintext in the configs. The credential stores typically use the default keystore password, so the files themselves should still be protected by appropriate file permissions.

(thanks to @lmccay for clarifying the last part for me)

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here