[
https://issues.apache.org/jira/browse/HADOOP-13864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15719053#comment-15719053
]
Mike Yoder commented on HADOOP-13864:
-------------------------------------
To the question of "you're not requiring a password now, isn't that a bad (less
secure) thing?" I reply:
My first agrument is that of symmetry. For C/C++/Python programs (anything
using openssl), a trust store is a plain-text file containing certificates. No
password required, and indeed there is not even a way to password-protect it.
So this "protection" in java has never been thought worthy of a feature in
openssl. Note that since all our certificates need to be in both pem and jks
format the passwordless trust stores will continue to exist in pem format
regardless of what we do in java programs.
My second argument is that the truststore password is worthless anyway. It
could in theory be useful in the limited world of keytool generating a
truststore, but when you actually go to use that truststore it all falls apart.
The reason is that hadoop clients need the trust store in order to trust the
server that they're talking to. Since the client needs it, the client has to be
able to fully use the trust store. If the trust store password is given, then
the client (anyone who connects to the hadoop cluster, that is) then knows the
trust store password. There is no way around this: even if we try to encrypt
that password, we would have to give the client the decryption key. Even if we
tried to obfuscate that password, we'd have to unobfuscate the password before
using it.
The other thing to consider here is that customers frequently re-use the trust
store password to be the same as the keystore password. This is dumb, but it
happens, and now the password is spread far and wide. The "benefit" is that the
integrity of the truststore is cryptographically verified. But since
essentially anyone can learn that password, anyone could write to the
truststore, so... who cares?
My third argument is that the global trust store on the system has a well known
password of "changeit" (even though changing it is pointless) and no software
ever accesses the global trust store using this password - because it would
provide no benefit.
> KMS should not require truststore password
> ------------------------------------------
>
> Key: HADOOP-13864
> URL: https://issues.apache.org/jira/browse/HADOOP-13864
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms, security
> Reporter: Mike Yoder
> Assignee: Mike Yoder
>
> Trust store passwords are actually not required for read operations. They're
> only needed for writing to the trust store; in reads they serve as an
> integrity check. Normal hadoop sslclient.xml files don't require the
> truststore password, but when the KMS is used it's required.
> If I don't specify a hadoop trust store password I get:
> {noformat}
> Failed to start namenode.
> java.io.IOException: java.security.GeneralSecurityException: The property
> 'ssl.client.truststore.password' has not been set in the ssl configuration
> file.
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:428)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:333)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider$Factory.createProvider(KMSClientProvider.java:324)
> at
> org.apache.hadoop.crypto.key.KeyProviderFactory.get(KeyProviderFactory.java:95)
> at org.apache.hadoop.util.KMSUtil.createKeyProvider(KMSUtil.java:65)
> at org.apache.hadoop.hdfs.DFSUtil.createKeyProvider(DFSUtil.java:1920)
> at
> org.apache.hadoop.hdfs.DFSUtil.createKeyProviderCryptoExtension(DFSUtil.java:1934)
> at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.<init>(FSNamesystem.java:811)
> at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.loadFromDisk(FSNamesystem.java:770)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.loadNamesystem(NameNode.java:614)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:676)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:844)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:823)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1548)
> at
> org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1616)
> Caused by: java.security.GeneralSecurityException: The property
> 'ssl.client.truststore.password' has not been set in the ssl configuration
> file.
> at
> org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:199)
> at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:131)
> at
> org.apache.hadoop.crypto.key.kms.KMSClientProvider.<init>(KMSClientProvider.java:426)
> ... 14 more
> {noformat}
> Note that this _does not_ happen to the namenode when the kms isn't in use.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
