[ 
https://issues.apache.org/jira/browse/KAFKA-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14950932#comment-14950932
 ] 

Sriharsha Chintalapani edited comment on KAFKA-2629 at 10/9/15 6:30 PM:
------------------------------------------------------------------------

[~singhashish] The distribution of ssl.properties along with a plaintext 
password is been a common way of doing things. In Hadoop they do this as well.  
Not just for ssl in case of kerberos you depend on file system permissions for 
keytabs to keep it secure.  I don't see ssl properties file any different than 
keystore file permissions.
Honestly, I never seen any system doing this so far for SSL. Why do you think 
filesystem permission not suffice and do you have any example anyone else doing 
this.

In your proposal you are saying an executable is also protected by same file 
system permissions than how it is providing any additional security ?. 


was (Author: sriharsha):
[~singhashish] The distribution of ssl.properties along with a plaintext 
password is been a common way of doing things. In Hadoop they do this as well.  
Not just for ssl in case of kerberos you depend on file system permissions for 
keytabs to keep it secure.  I don't see ssl properties file any different than 
keystore file permissions.
Honestly, I never seen any system doing this so far for SSL. Why do you think 
filesystem permission not suffice and do you have any example anyone else doing 
this.

> Enable getting SSL password from an executable rather than passing plaintext 
> password
> -------------------------------------------------------------------------------------
>
>                 Key: KAFKA-2629
>                 URL: https://issues.apache.org/jira/browse/KAFKA-2629
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Ashish K Singh
>            Assignee: Ashish K Singh
>
> Currently there are a couple of options to pass SSL passwords to Kafka, i.e., 
> via properties file or via command line argument. Both of these are not 
> recommended security practices.
> * A password on a command line is a no-no: it's trivial to see that password 
> just by using the 'ps' utility.
> * Putting a password into a file, and then passing the location to that file, 
> is the next best option. The access to the file will be governed by unix 
> access permissions which we all know and love. The downside is that the 
> password is still just sitting there in a file, and those who have access can 
> still see it trivially.
> * The most general, secure solution is to provide a layer of abstraction: 
> provide functionality to get the password from "somewhere else".  The most 
> flexible and generic way to do this is to simply call an executable which 
> returns the desired password. 
> ** The executable is again protected with normal file system privileges
> ** The simplest form, a script that looks like "echo 'my-password'", devolves 
> back to putting the password in a file
> ** A more interesting implementation could open up a local encrypted password 
> store and extract the password from it
> ** A maximally secure implementation could contact an external secret manager 
> with centralized control and audit functionality.
> ** In short: getting the password as the output of a script/executable is 
> maximally generic and enables both simple and complex use cases.
> This JIRA intend to add a config param to enable passing an executable to 
> Kafka for SSL passwords.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to