Github user rconline commented on the issue:
https://github.com/apache/zeppelin/pull/1315
@jongyoul let me try to take a step back and try to explain.
Zeppelin is going to be used for various use cases, some of which will
involve HDFS - Hive/Spark/Phoenix/Hbase etc, some use cases will also need
support for non-HDFS such as Postgres/Mysql etc.
**Problem** - all of these end systems may require users to store
passwords. Currently in zeppelin there are two locations for storing these
passwords - 1. shiro.ini for AD passwords and 2. interpreter.json for the rest
of the data systems. These passwords are stored in clear text as of now.
**Solution** - Encrypt the password and store in a file that can be read
only at runtime, by zeppelin process to connect successfully. Question is
where? Either on the zeppelin host system or hdfs where big-data users are akin
to storing passwords. JCEKS is a java supported concept and has worked well for
most users, and therefore can be used. Creating a .jceks file is possible on a
host,
`jceks://file/tmp/test.jceks`, whereas on HDFS the user may have to connect
to hdfs and then create the file such as
`jceks://[email protected]/my/path/test.jceks`, when the password is being
stored on hdfs.
At this point in time we have solved the problem for not storing passwords
in Shiro.ini, which can be stored at the zeppelin host itself. However we have
to improve this solution and make it work for the rest of the use cases and
that's where Credential API comes into play.
Credential API is a generic solution which allows users to create password
files for both of the cases - on the host and hdfs. Needless to point out that
this has been used across Knox, which is a good standard for security.
Please let me know if this makes sense, or if you have any more questions.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
