diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 5540e5147c..1419f2548c 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -465,6 +465,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu) + HADOOP-11300. KMS startup scripts must not display the keystore / + truststore passwords. (Arun Suresh via wang) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-kms/pom.xml b/hadoop-common-project/hadoop-kms/pom.xml index fda25aa1d8..c33b33eb8b 100644 --- a/hadoop-common-project/hadoop-kms/pom.xml +++ b/hadoop-common-project/hadoop-kms/pom.xml @@ -397,8 +397,8 @@ - - + diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh index dc603d4f90..d36ab4d94f 100644 --- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh +++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh @@ -152,9 +152,10 @@ fi if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then export KMS_SSL_KEYSTORE_PASS=password - print "Setting KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}" + print "Setting KMS_SSL_KEYSTORE_PASS: ********" else - print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}" + KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'` + print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS_DISP}" fi if [ "${CATALINA_BASE}" = "" ]; then diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh index b43225f62d..1e40e10ef8 100644 --- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh +++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh @@ -36,7 +36,11 @@ source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh # The Java System property 'kms.http.port' it is not used by Kms, # it is used in Tomcat's server.xml configuration file # -print "Using CATALINA_OPTS: ${CATALINA_OPTS}" + +# Mask the trustStorePassword +KMS_SSL_TRUSTSTORE_PASS=`echo $CATALINA_OPTS | grep -o 'trustStorePassword=[^ ]*' | awk -F'=' '{print $2}'` +CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/'` +print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}" catalina_opts="-Dkms.home.dir=${KMS_HOME}"; catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}"; @@ -46,11 +50,11 @@ catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}"; catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}"; catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}"; catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}"; -catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}"; print "Adding to CATALINA_OPTS: ${catalina_opts}" +print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`" -export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}" +export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}" # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server # @@ -58,4 +62,11 @@ if [ "${1}" = "stop" ]; then export JAVA_OPTS=${CATALINA_OPTS} fi +# If ssl, the populate the passwords into ssl-server.xml before starting tomcat +if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then + cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \ + | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \ + | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml +fi + exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@" diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf similarity index 98% rename from hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml rename to hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf index 5215ded308..b60da47334 100644 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml +++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf @@ -71,8 +71,9 @@ + keystorePass="_kms_ssl_keystore_pass_"/>