[
https://issues.apache.org/jira/browse/KAFKA-2629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14951200#comment-14951200
]
Ashish K Singh commented on KAFKA-2629:
---------------------------------------
Thanks for your thoughts [~sriharsha]. I think you raised following concerns,
trying to address them below.
bq. The distribution of ssl.properties along with a plaintext password is been
a common way of doing things. In Hadoop they do this as well.
Hadoop implemented something called the CredentialProvider specifically for the
purpose of encrypting passwords. See
https://issues.apache.org/jira/browse/HADOOP-10607. This functionality is now
supported by other projects, including Hive, HBase, etc.
If you google, you will find many well known products use similar approaches.
Even if someone is not, they should as per the PCI DSS v3 standard. This comes
as an ask from our most security-conscious customers. I am sure this will be
soon asked by other Kafka users as well. We have a choice of creating a wrapper
that does this and calls Kafka, however I am sure this will be required in
Apache Kafka some day, if not today.
bq. I never seen any system doing this so far for SSL. Why do you think
filesystem permission not suffice?
As per PCI DSS v3:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
8.2.1 Using strong cryptography, render all authentication credentials (such as
passwords/phrases) unreadable during transmission and storage on all system
components.
bq. In your proposal you are saying an executable is also protected by same
file system permissions than how it is providing any additional security?
The idea is that executable can get the password in secure way. The degree of
security is customizable - it can get the password from an external secret
manager with centralized control and audit functionality or can decrypt a
locally stored password using a secret passed through the environment. Sure,
one can access the executable with proper permissions, but will not be able to
access the env variables that the process, starting Kafka server, used to get
the password.
> Enable getting SSL password from an executable rather than passing plaintext
> password
> -------------------------------------------------------------------------------------
>
> Key: KAFKA-2629
> URL: https://issues.apache.org/jira/browse/KAFKA-2629
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.9.0.0
> Reporter: Ashish K Singh
> Assignee: Ashish K Singh
>
> Currently there are a couple of options to pass SSL passwords to Kafka, i.e.,
> via properties file or via command line argument. Both of these are not
> recommended security practices.
> * A password on a command line is a no-no: it's trivial to see that password
> just by using the 'ps' utility.
> * Putting a password into a file, and then passing the location to that file,
> is the next best option. The access to the file will be governed by unix
> access permissions which we all know and love. The downside is that the
> password is still just sitting there in a file, and those who have access can
> still see it trivially.
> * The most general, secure solution is to provide a layer of abstraction:
> provide functionality to get the password from "somewhere else". The most
> flexible and generic way to do this is to simply call an executable which
> returns the desired password.
> ** The executable is again protected with normal file system privileges
> ** The simplest form, a script that looks like "echo 'my-password'", devolves
> back to putting the password in a file
> ** A more interesting implementation could open up a local encrypted password
> store and extract the password from it
> ** A maximally secure implementation could contact an external secret manager
> with centralized control and audit functionality.
> ** In short: getting the password as the output of a script/executable is
> maximally generic and enables both simple and complex use cases.
> This JIRA intend to add a config param to enable passing an executable to
> Kafka for SSL passwords.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
