Problem Statement
The requirement is to set encrypted password in configuration for Cassandra so that Quarkus automatically decrypts the password at runtime (like jasypt).
Example
quarkus.cassandra.auth.username=john
quarkus.cassandra.auth.password=s3cr3t --> instead of this
quarkus.cassandra.auth.password=ENC(1k9u) --> something like this
The recommendation is to use Vault as a ConfigSource. Secrets can be stored on Vault and Quarkus will read them as any other configuration source.
Please check: https://quarkus.io/guides/vault
I've reached out to the team who maintain the Quarkus extension for Apache Cassandra and got confirmation that unfortunately it's not possible to do that. Cheers!
Related
We are working on a REST api which needs to generate a fingerprint. So it has to store a key and password on its end for generating this fingerprint. Presently, we've stored these values in config file.
But doesn't meet the security requirements. Wanted to know if .net has any better way of storing such key info? Any keystore available similar to Javakeystore?
In general, how to secure critical data in .net Web apis?
You can use Azure Key Vault for storing your key and password securely.
Here, how can you configure this,
https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal
I have a pretty standard application written in Java which also runs queries against a DB. The application resides on GCP and the DB on Atlas.
For understandable reasons, I don't want to keep the username and password for the DB in the code.
So option number 1 that I had in mind, is to pass the username and password as environment variables to the application container in GCP.
Option number 2 is using Secret Manager in GCP and store my username and password there, and pass the GCP Credentials as an environment variable to the application container in GCP.
My question is, what is the added value of option number 2 if it has any? It seems that option 2 is even worse from a security aspect since if some hacker gets the google credentials, it has access to all of the secrets stored in the Secret Manager.
I don't know what are the best practices and what is advised to do in such cases. Thank you for your help.
Having credentials in GCP secret manager will help you to keep track of all the secrets and changes in a centralized location and access globally from any of your app.
For a standard application where one JAVA is connecting to a DB, may not add much values.
You may look into kubernetes secret for that reason.
If your application resides in GCP, you don't need a service account key file (which is your security concern, and you are right. I wrote an article on this)
TL;DR use ADC (Application Default Credential) to automatically get the service account credential provided automatically on Google Cloud Component (look at metadata server for more details).
Then grant this component identity (by default or user defined, when supported), i.e. the service account email, to access to your secrets.
And that's all! You haven't secrets in your code and your environment variable, neither the login/password, nor the service account key file.
If you have difficulties to use ADC in Java, don't hesitate to share your code. I will be able to help your to achieve this.
To use Secret Manager on Google Cloud you need to install the Secret Manager Java SDK Libraries. This documentation shows how to get started with the Cloud Client Libraries for the Secret Manager API, you only need to go to the Java section.
This Libraries helps you to access your keys in order that it can be used by your app.
The following link shows how to get details about a secret by viewing its metadata. Keep in mind that viewing a secret's metadata requires the Secret Viewer role (roles/secretmanager.viewer) on the secret, project, folder, or organization.
I recommend you to create a special Service Account to handle the proper permissions for your app, because if you don’t have a SA defined, the default SA is what is going to generate the request, and it is not secure. you can learn more about how to create a service account in this link
On the other hand, you can find an example on how you can use the following guide that contains a good example of finding your credentials automatically, that's more convenient and secure than manually passing credentials.
I am new to use prestodb when i go through the presto documentation it helped me but i would like to take some advice from the presto experts and configuration set up help so I am dropping this question. Different options
1) Coordinator Kerberos Authentication. (only coordinator change)
In order to use this method i have to enable /etc/krb5.conf, for this do i have create a file in etc properties in presto with krb5.conf {user/presto/etc/krb5.conf} or do i have to use the system etc/krb5.conf . Correct me if I am wrong.
2) LDAP Authentication (Only Coordinator change)
The Presto client sends a username and password to the coordinator and coordinator validates these credentials using an external LDAP service.
3) Java Keystores and Truststores
Access to the Presto coordinator must be through HTTPS when using Kerberos and LDAP authentication. The Presto coordinator uses a Java Keystore file for its TLS configuration. These keys are generated using keytool and stored in a Java Keystore file for the Presto coordinator.
The alias in the keytool command line should match the principal that the Presto coordinator will use.
Finally
4) Built-in System Access Control
A system access control plugin enforces authorization at a global level, before any connector level authorization. You can either use one of the built-in plugins in Presto or provide your own by following the guidelines in System Access Control.
As the last one is easy i could directly add a json file for providing access but that doesnt seem good idea on larger scale.
If you are just starting with Presto then it would be good to try out some basic authentication. As you can see Kerberos and LDAP have their own external dependencies, I would recommend to try out File based authentication which is very easy to implement.
https://www.qubole.com/blog/simplifying-user-access-in-presto-with-file-based-authentication/
For authorization, you can see Hive security options like read-only, sql-standard etc.
https://prestodb.io/docs/current/connector/hive-security.html
Due to PA-DSS compliance, we are not allowed to have clear text passwords in configuration files, even if we control who is allowed to access the file.
I've checked WildFly's documentation, but could only find information about protecting the database's password via org.picketbox.datasource.security.SecureIdentityLoginModule. Is there a way to do this on WildFly? Both WebSphere and GlassFish provide a way to do this, so I guess WildFly might have a way too.
You can create a vault and encrypt the password with valutTool. Then refer to the password stored in vault with the preset variable e.g.
<module-option name="bindCredential" value="${VAULT::MYLDAP::PASSWORD::1}"/>
https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool
I set up an RCS server (hybrid ircd). I would like to secure it with authentication. But my user credentials are stored in a database table.
1- I cannot find anywhere documentation on how to configure the "auth" section of httpd.conf.
2- From what I understand I could use an authentication service (identd) but I don't understand how this works, how to set it up, and how to configure this to use a database table for credentials.
Please give me a hand with this.
By using InspIRCd instead, I can use this SQL authentication module:
http://wiki.inspircd.org/Modules/1.2/sqlauth
Problem solved!