Support Questions
Find answers, ask questions, and share your expertise

plain password in configuration files

plain password in configuration files

Explorer

Hi,


I am wondering how to protect keystore and truststore passwords in the ssl-server (ssl-client), hbase-site, storm-site ?


These passwords are by default in plain text which is not very secure. On our cluster we have some egde nodes (that run some Spring Boot web application with HBase access, for that we let Ambari generate the configuration on those hosts), master (Namenode, HBase Master, etc.) and slave nodes (Datanode, Region Server).

The applications run as a user that is not part of the hadoop group. Same for the YARN, MP jobs. Those users are kerberized.

Since the configuration files are generated by Ambari with a 644 file mode, everybody is able to read those files (and passwords.)


So here are my questions:

1) Is there a way of changing the way of storing the passwords ? (eg CredentialProvider)

2) May I change the file permissions (but it looks like Ambari is changing them @ every start)

3) Should I change my cluster architecture ? Edgenode, client config on master and slave nodes etc...


Thanks


Kind regards

2 REPLIES 2

Re: plain password in configuration files

Mentor

@Manfred PAUL

Yes it's possible in Ambari to encrypt password by running ambari-server setup-security see Encrypt Database and LDAP Passwords in Ambari


HTH

Re: plain password in configuration files

Explorer

@Geoffrey Shelton Okot


Hi, thanks. But this does not apply for the Hadoop, HBase, Storm configuration


Kind regards

Manfred