This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-13 Environment variables should be usable when looking up passwords

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Since it may not be desirable to always use the environment as a potential credential store, alias names should be decorated to indicate that the target container is the environment.  The current implementation most of the relevant alias names are declared in the gateway-site.xml file.  For example, the alias name for the password for the TLS identity's keystore file is specified using the property named gateway.tls.keystore.password.alias.  By default the value is "gateway-identity-keystore-password".  Without decorating this alias name, it could take up to 3 lookup operations to find the relevant password.  However, if a convention is enforced, then the environment lookup can be skipped.  To allow for an alias to be looked up in the environment, the alias name must begin with "env.".  This prefix will be removed when performing the lookup. For example, to look for "gateway-identity-keystore-password" in the environment, the value of the gateway.tls.keystore.password.alias configuration property must be "env.gateway-identity-keystore-password".  The "env." will be stripped from the alias name and "gateway-identity-keystore-password" will be used to search the environment, and then the remote and local credential stores (as necessary). However, if the value of the gateway.tls.keystore.password.alias configuration property is "gateway-identity-keystore-password", then "gateway-identity-keystore-password" will be used to search in the remote and local credential stores (as necessary).

Image Modified

Proposed updated password lookup workflow allowing the environment variable lookup to be skipped.

...