Open FaxianZhao opened 5 years ago
@FaxianZhao Are you using a DefaultPasswordProvider
? If so, even if the Coordinator used LookupExtractorFactoryContainer
instead of LookupExtractorFactoryMapContainer
, the DefaultPasswordProvider
would still have a visible password in its serialized form.
You could consider using an EnvironmentPasswordProvider
in your JDBC extraction namespace instead, so the password doesn't appear
@FaxianZhao Are you using a
DefaultPasswordProvider
? If so, even if the Coordinator usedLookupExtractorFactoryContainer
instead ofLookupExtractorFactoryMapContainer
, theDefaultPasswordProvider
would still have a visible password in its serialized form.You could consider using an
EnvironmentPasswordProvider
in your JDBC extraction namespace instead, so the password doesn't appear
Thanks for your help. If we use LookupExtractorFactoryContainer
in coordinator, we should load all LookupExtractorFactory extensions when it start. Otherwise, coordinator cannot recognize the right implement.
I agree with @jon-wei , to protect the password using EnvironmentVariablePasswordProvider
or your own implementation to PasswordProvider
would be the right approach.
Affected Version
Description
Coordinator use LookupExtractorFactoryMapContainer instead of LookupExtractorFactoryContainer to store lookup spec, so there is no PasswordProvider to protect jdbc password. Anyone could use GET /druid/coordinator/v1/lookups/config/all find them.