diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 5540e5147c..1419f2548c 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -465,6 +465,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT
even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu)
+ HADOOP-11300. KMS startup scripts must not display the keystore /
+ truststore passwords. (Arun Suresh via wang)
+
Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-kms/pom.xml b/hadoop-common-project/hadoop-kms/pom.xml
index fda25aa1d8..c33b33eb8b 100644
--- a/hadoop-common-project/hadoop-kms/pom.xml
+++ b/hadoop-common-project/hadoop-kms/pom.xml
@@ -397,8 +397,8 @@
-
-
+
diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
index dc603d4f90..d36ab4d94f 100644
--- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
@@ -152,9 +152,10 @@ fi
if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then
export KMS_SSL_KEYSTORE_PASS=password
- print "Setting KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
+ print "Setting KMS_SSL_KEYSTORE_PASS: ********"
else
- print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
+ KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`
+ print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}"
fi
if [ "${CATALINA_BASE}" = "" ]; then
diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
index b43225f62d..1e40e10ef8 100644
--- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
@@ -36,7 +36,11 @@ source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh
# The Java System property 'kms.http.port' it is not used by Kms,
# it is used in Tomcat's server.xml configuration file
#
-print "Using CATALINA_OPTS: ${CATALINA_OPTS}"
+
+# Mask the trustStorePassword
+KMS_SSL_TRUSTSTORE_PASS=`echo $CATALINA_OPTS | grep -o 'trustStorePassword=[^ ]*' | awk -F'=' '{print $2}'`
+CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/'`
+print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}"
catalina_opts="-Dkms.home.dir=${KMS_HOME}";
catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
@@ -46,11 +50,11 @@ catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
-catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}";
print "Adding to CATALINA_OPTS: ${catalina_opts}"
+print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`"
-export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
+export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}"
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
#
@@ -58,4 +62,11 @@ if [ "${1}" = "stop" ]; then
export JAVA_OPTS=${CATALINA_OPTS}
fi
+# If ssl, the populate the passwords into ssl-server.xml before starting tomcat
+if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then
+ cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \
+ | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \
+ | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
+fi
+
exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
similarity index 98%
rename from hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
rename to hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
index 5215ded308..b60da47334 100644
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
@@ -71,8 +71,9 @@
+ keystorePass="_kms_ssl_keystore_pass_"/>