Support Questions
Find answers, ask questions, and share your expertise

plain password in configuration files

plain password in configuration files



I am wondering how to protect keystore and truststore passwords in the ssl-server (ssl-client), hbase-site, storm-site ?

These passwords are by default in plain text which is not very secure. On our cluster we have some egde nodes (that run some Spring Boot web application with HBase access, for that we let Ambari generate the configuration on those hosts), master (Namenode, HBase Master, etc.) and slave nodes (Datanode, Region Server).

The applications run as a user that is not part of the hadoop group. Same for the YARN, MP jobs. Those users are kerberized.

Since the configuration files are generated by Ambari with a 644 file mode, everybody is able to read those files (and passwords.)

So here are my questions:

1) Is there a way of changing the way of storing the passwords ? (eg CredentialProvider)

2) May I change the file permissions (but it looks like Ambari is changing them @ every start)

3) Should I change my cluster architecture ? Edgenode, client config on master and slave nodes etc...


Kind regards


Re: plain password in configuration files


@Manfred PAUL

Yes it's possible in Ambari to encrypt password by running ambari-server setup-security see Encrypt Database and LDAP Passwords in Ambari


Re: plain password in configuration files


@Geoffrey Shelton Okot

Hi, thanks. But this does not apply for the Hadoop, HBase, Storm configuration

Kind regards