Thanks for bringing this up and adding a KIP for it, Rob! I do get uneasy with the idea of this even though I do realize that it is done by things like CM. In order to get something into an environment variable, the secrets often end up in script files or available in ps listings, logs, etc. If we enable this, we will need to be very careful of where these sorts of things can get exposed.
I will spend some more time with the KIP now. On Mon, Feb 25, 2019 at 3:09 PM Robert Levas <[email protected]> wrote: > Team... > > I would like to open a discussion on adding a feature to Knox to allow the > Gateway get a password from the environment as well as the remote and local > credential stores. This is potentially needed by management consoles, like > Cloudera Manager, that can create keystores but pass the credentials for > them using environment variables. > > See KIP-13 Environment variables should be usable when looking up passwords > < > https://cwiki.apache.org/confluence/display/KNOX/KIP-13+Environment+variables+should+be+usable+when+looking+up+passwords > > > for > more information. > > The relevant JIRA is KNOX-1794 > <https://issues.apache.org/jira/browse/KNOX-1794>. > > Rob >
