Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improvement]: Add support for using encrypted passwords in configurations #3335

Open
5 of 6 tasks
Jzjsnow opened this issue Nov 21, 2024 · 4 comments · May be fixed by #3396
Open
5 of 6 tasks

[Improvement]: Add support for using encrypted passwords in configurations #3335

Jzjsnow opened this issue Nov 21, 2024 · 4 comments · May be fixed by #3396
Labels
type:improvement

Comments

@Jzjsnow
Copy link
Contributor

Jzjsnow commented Nov 21, 2024
edited
Loading

Search before asking

  • I have searched in the issues and found no similar issues.

What would you like to be improved?

Currently, the login password for the admin user and the connection password for the mysql/postgresql databases are set in plaintext in the configuration file, which may be a security risk. To avoid the use of plaintext passwords, we would like to add support for using encrypted passwords in the configuration file.

How should we improve?

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Subtasks

Code of Conduct
This was referenced Nov 21, 2024
Open
Open
@klion26
Copy link
Member

klion26 commented Dec 7, 2024

Thanks for creating the issue, +1 for this feature. and maybe #3336 can considered together with #3156 by providing a user permissions system

@Jzjsnow
Copy link
Contributor Author

Jzjsnow commented Dec 9, 2024

Now I'm thinking that we can provide an interface by implementing which developers can customize the decryption method and choose the appropriate dependency library themselves. This way we can bypass the potential problem of choosing a dependency library for decryption. Considering that base64 encoding is one of the most commonly used encoding methods, I would like to implement a basic base64 encoding first, not only as an example implementation of the interface, but also to solve the current problem of plaintext passwords.

@engraving-knife
Copy link
Contributor

I am also following up on this issue and would like to ask about the current development status. I believe we should support some more general encryption algorithms, such as AES, and should provide a place for inputting keys for such algorithms. Keys should not be placed in algorithm-dependent packages and configuration files.

@Jzjsnow Jzjsnow linked a pull request Jan 6, 2025 that will close this issue
Open
3 tasks
@Jzjsnow
Copy link
Contributor Author

Jzjsnow commented Jan 6, 2025
edited
Loading

In #3396, I first provide this interface ConfigShade and the implementation org.apache.amoro.config.shade.impl.Base64ConfigShade for base64 encoding. I think that by implementing the ConfigShade#initialize and ConfigShade#decrypt methods, it is possible to satisfy the user's desired encryption algorithms, such as AES. @engraving-knife any ideas on this approach?

@Jzjsnow Jzjsnow mentioned this issue Jan 23, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:improvement
Projects
None yet
Milestone
No milestone
3 participants
@klion26 @Jzjsnow @engraving-knife