HADOOP-11300. KMS startup scripts must not display the keystore / truststore passwords. Contributed by Arun Suresh.

(cherry picked from commit 56f3eecc129486d3297d082d9b97f26b40d0a2c6)

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -105,6 +105,9 @@ Release 2.7.0 - UNRELEASED
     HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT
     even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu)
 
+    HADOOP-11300. KMS startup scripts must not display the keystore /
+    truststore passwords. (Arun Suresh via wang)
+
 Release 2.6.0 - 2014-11-18
 
   INCOMPATIBLE CHANGES

hadoop-common-project/hadoop-kms/pom.xml

@@ -397,8 +397,8 @@
                     <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
                     <copy file="${basedir}/src/main/tomcat/server.xml"
                           toDir="${kms.tomcat.dist.dir}/conf"/>
-                    <delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml"/>
-                    <copy file="${basedir}/src/main/tomcat/ssl-server.xml"
+                    <delete file="${kms.tomcat.dist.dir}/conf/ssl-server.xml.conf"/>
+                    <copy file="${basedir}/src/main/tomcat/ssl-server.xml.conf"
                           toDir="${kms.tomcat.dist.dir}/conf"/>
                     <delete
                       file="${kms.tomcat.dist.dir}/conf/logging.properties"/>

hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh

@@ -152,9 +152,10 @@ fi
 
 if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then
   export KMS_SSL_KEYSTORE_PASS=password
-  print "Setting KMS_SSL_KEYSTORE_PASS:     ${KMS_SSL_KEYSTORE_PASS}"
+  print "Setting KMS_SSL_KEYSTORE_PASS:     ********"
 else
-  print "Using   KMS_SSL_KEYSTORE_PASS:     ${KMS_SSL_KEYSTORE_PASS}"
+  KMS_SSL_KEYSTORE_PASS_DISP=`echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`
+  print "Using   KMS_SSL_KEYSTORE_PASS:     ${KMS_SSL_KEYSTORE_PASS_DISP}"
 fi
 
 if [ "${CATALINA_BASE}" = "" ]; then

hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh

@@ -36,7 +36,11 @@ source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh
 # The Java System property 'kms.http.port' it is not used by Kms,
 # it is used in Tomcat's server.xml configuration file
 #
-print "Using   CATALINA_OPTS:       ${CATALINA_OPTS}"
+
+# Mask the trustStorePassword
+KMS_SSL_TRUSTSTORE_PASS=`echo $CATALINA_OPTS | grep -o 'trustStorePassword=[^ ]*' | awk -F'=' '{print $2}'`
+CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/trustStorePassword=***/'`
+print "Using   CATALINA_OPTS:       ${CATALINA_OPTS_DISP}"
 
 catalina_opts="-Dkms.home.dir=${KMS_HOME}";
 catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
@@ -46,11 +50,11 @@ catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
 catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
 catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
 catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
-catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}";
 
 print "Adding to CATALINA_OPTS:     ${catalina_opts}"
+print "Found KMS_SSL_KEYSTORE_PASS:     `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/./*/g'`"
 
-export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
+export CATALINA_OPTS="${CATALINA_OPTS_DISP} ${catalina_opts}"
 
 # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
 #
@@ -58,4 +62,11 @@ if [ "${1}" = "stop" ]; then
   export JAVA_OPTS=${CATALINA_OPTS}
 fi
 
+# If ssl, the populate the passwords into ssl-server.xml before starting tomcat
+if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "" ]; then
+  cat ${CATALINA_BASE}/conf/ssl-server.xml.conf \
+    | sed 's/_kms_ssl_keystore_pass_/'${KMS_SSL_KEYSTORE_PASS}'/g' \
+    | sed 's/_kms_ssl_truststore_pass_/'${KMS_SSL_TRUSTSTORE_PASS}'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
+fi 
+
 exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"

hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml → hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf

@@ -71,8 +71,9 @@
     <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="${kms.max.threads}" scheme="https" secure="true"
                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"
+               truststorePass="_kms_ssl_truststore_pass_"
                keystoreFile="${kms.ssl.keystore.file}"
-               keystorePass="${kms.ssl.keystore.pass}"/>
+               keystorePass="_kms_ssl_keystore_pass_"/>
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->