[WIP] Proof of concept for a generic password provider #82
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: I28a11ccbeb3bd19f8de14c66d4cf47dc6e1c7969
Change-Id: I0dadcb576c9b9eefb557cb8e111cb899cd415c0e
bessbd
reviewed
Oct 27, 2016
|
|
||
| private String loadPassword(Context context, String key) { | ||
| String charsetKey = key + "." + CHARSET_KEY; | ||
| String charsetName = context.getString(charsetKey, "iso-8859-1"); |
There was a problem hiding this comment.
As it's about the output of a shell script I don't expect to have non-ascii characters, that's why I decided to use iso-8859-1 by default. I might be wrong so I'm open to reconsider this.
There was a problem hiding this comment.
+1 for Unicode standard and UTF-8 implementation even for defaults.
|
I didn't look at this much yet, but would this ultimately be compatible with standard JAAS credential providers, like the one Hadoop implements? |
|
Can one of the admins verify this patch? |
waidr
pushed a commit
to waidr/flume
that referenced
this pull request
Jul 24, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
One of the main security concerns regarding Flume is that currently passwords can only be set in plain text in the config file. I have a proof-of-concept to overcome this limitation with an extensible password provider.
The core of the solution is the
PasswordProviderinterface which has a default implementation (PlainTextPasswordProvider) which returns the value of the given key, thus taking care of backwards compatibility.The other implementation is the
ExternalProcessPasswordProviderwhich executes the configured command and returns its output.Usage example can be seen in the
AvroSource(see the 2nd commit of this PR):Example configuration to use the
ExternalProcessPasswordProvider:Example configuration with no
passwordProviderClassset:As no
passwordProviderClassis set in this example the defaultPlainTextPasswordProvideris used which returns the value ofa.sources.avro.keystore-password.Note: this is still a work in progress, I wanted to sketch up my idea. Any questions/comments/suggestions are more than welcome.