In real production deployment, usually we will store an encrypted password in the configuration file, and then decrypt it after loading, to actually use it.
And how to get the decryption will depend on the environment. On cloud VMs, usually you can use an encryption service to decrypt the password. On K8s, you can mount the key using secret. So maybe we should abstract a decryption interface, so users could implement it on their own to find a suitable way to decrypt the encrypted password? Andor Molnar <[email protected]> 于2022年8月23日周二 05:55写道: > > Hi team, > > Netty TLS support is now merged into master and branch-2 branches. > Currently keystore/truststore passwords can only be stored in hbase- > site.xml which is not the best approach from security perspective. > > In the docs review Sergey Soldatov mentioned ( > https://github.com/apache/hbase/pull/4717/files#r951768699) an approach > in HDFS where password can be stored in special files or in environment > variables. > > Sergey, would you please point me to the details of that > implementation? Sounds like it would be acceptable for HBase too. > > Is there any other idea that folks could recommend? > > Thanks, > Andor > > >
