amoro icon indicating copy to clipboard operation
amoro copied to clipboard
verified publisher icon apache

[Improvement]: Add support for using encrypted passwords in configurations

Open Jzjsnow opened this issue 1 year ago • 5 comments

Search before asking

  • [X] I have searched in the issues and found no similar issues.

What would you like to be improved?

Currently, the login password for the admin user and the connection password for the mysql/postgresql databases are set in plaintext in the configuration file, which may be a security risk. To avoid the use of plaintext passwords, we would like to add support for using encrypted passwords in the configuration file.

How should we improve?

No response

Are you willing to submit PR?

  • [X] Yes I am willing to submit a PR!

Subtasks

  • [x] #3336
  • [x] #3337
  • [x] #3417

Code of Conduct

Jzjsnow avatar Nov 21 '24 02:11 Jzjsnow

Thanks for creating the issue, +1 for this feature. and maybe #3336 can considered together with #3156 by providing a user permissions system

klion26 avatar Dec 07 '24 05:12 klion26

Now I'm thinking that we can provide an interface by implementing which developers can customize the decryption method and choose the appropriate dependency library themselves. This way we can bypass the potential problem of choosing a dependency library for decryption. Considering that base64 encoding is one of the most commonly used encoding methods, I would like to implement a basic base64 encoding first, not only as an example implementation of the interface, but also to solve the current problem of plaintext passwords.

Jzjsnow avatar Dec 09 '24 13:12 Jzjsnow

I am also following up on this issue and would like to ask about the current development status. I believe we should support some more general encryption algorithms, such as AES, and should provide a place for inputting keys for such algorithms. Keys should not be placed in algorithm-dependent packages and configuration files.

engraving-knife avatar Dec 17 '24 02:12 engraving-knife

In #3396, I first provide this interface ConfigShade and the implementation org.apache.amoro.config.shade.impl.Base64ConfigShade for base64 encoding. I think that by implementing the ConfigShade#initialize and ConfigShade#decrypt methods, it is possible to satisfy the user's desired encryption algorithms, such as AES. @engraving-knife any ideas on this approach?

Jzjsnow avatar Jan 06 '25 11:01 Jzjsnow

Reopen this for tracking the doc modification sub-task

klion26 avatar Feb 05 '25 02:02 klion26

This issue has been automatically marked as stale because it has been open for 180 days with no activity. It will be closed in next 14 days if no further activity occurs. To permanently prevent this issue from being considered stale, add the label 'not-stale', but commenting on the issue is preferred when possible.

github-actions[bot] avatar Sep 16 '25 00:09 github-actions[bot]

This issue has been closed because it has not received any activity in the last 14 days since being marked as 'stale'

github-actions[bot] avatar Sep 30 '25 00:09 github-actions[bot]