HADOOP-13911. Remove TRUSTSTORE_PASSWORD related scripts from KMS. Contributed by John Zhuge.

hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh

@@ -47,11 +47,6 @@
 #
 # export KMS_SSL_KEYSTORE_PASS=password
 
-#
-# The password of the truststore
-#
-# export KMS_SSL_TRUSTSTORE_PASS=
-
 
 ##
 ## Tomcat specific settings

hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh

@@ -44,11 +44,6 @@ function hadoop_subproject_init
 
   export HADOOP_CATALINA_SSL_KEYSTORE_FILE="${KMS_SSL_KEYSTORE_FILE:-${HOME}/.keystore}"
 
-  # this is undocumented, but older versions would rip the TRUSTSTORE_PASS out of the
-  # CATALINA_OPTS
-  # shellcheck disable=SC2086
-  export KMS_SSL_TRUSTSTORE_PASS=${KMS_SSL_TRUSTSTORE_PASS:-"$(echo ${CATALINA_OPTS} | grep -o 'trustStorePassword=[^ ]*' | cut -f2 -d= )"}
-
   export CATALINA_BASE="${CATALINA_BASE:-${HADOOP_HOME}/share/hadoop/kms/tomcat}"
   export HADOOP_CATALINA_HOME="${KMS_CATALINA_HOME:-${CATALINA_BASE}}"
 

hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh

@@ -51,11 +51,7 @@ fi
 # it is used in Tomcat's server.xml configuration file
 #
 
-# Mask the trustStorePassword
-# shellcheck disable=SC2086
-CATALINA_OPTS_DISP="$(echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/')"
-
-hadoop_debug "Using   CATALINA_OPTS:       ${CATALINA_OPTS_DISP}"
+hadoop_debug "Using   CATALINA_OPTS:       ${CATALINA_OPTS}"
 
 # We're using hadoop-common, so set up some stuff it might need:
 hadoop_finalize
@@ -94,14 +90,11 @@ fi
 # if custom, use provided password
 #
 if [[ -f "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" ]]; then
-  if [[ -n "${KMS_SSL_KEYSTORE_PASS+x}" ]] || [[ -n "${KMS_SSL_TRUSTSTORE_PASS}" ]]; then
+  if [[ -n "${KMS_SSL_KEYSTORE_PASS+x}" ]]; then
       export KMS_SSL_KEYSTORE_PASS=${KMS_SSL_KEYSTORE_PASS:-password}
       KMS_SSL_KEYSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
         "$(hadoop_sed_escape "$KMS_SSL_KEYSTORE_PASS")")
-      KMS_SSL_TRUSTSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
-        "$(hadoop_sed_escape "$KMS_SSL_TRUSTSTORE_PASS")")
       sed -e 's/"_kms_ssl_keystore_pass_"/'"\"${KMS_SSL_KEYSTORE_PASS_ESCAPED}\""'/g' \
-          -e 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' \
         "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" \
         > "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml"
       chmod 700 "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml" >/dev/null 2>&1

hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf

@@ -72,7 +72,6 @@
                maxThreads="${kms.max.threads}" scheme="https" secure="true"
                maxHttpHeaderSize="${kms.max.http.header.size}"
                clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
-               truststorePass="_kms_ssl_truststore_pass_"
                keystoreFile="${kms.ssl.keystore.file}"
                keystorePass="_kms_ssl_keystore_pass_"/>