From b589f59037a40d72169a7800131e44d40b2233c7 Mon Sep 17 00:00:00 2001 From: "chaitali.borole" Date: Mon, 19 Jan 2026 17:12:53 +0530 Subject: [PATCH] ATLAS-5189: Encrypt postgres password --- graphdb/janusgraph-rdbms/pom.xml | 4 ++++ .../diskstorage/rdbms/dao/DaoManager.java | 13 ++++++++++++ .../apache/atlas/ApplicationProperties.java | 20 ++++++++++++++++--- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/graphdb/janusgraph-rdbms/pom.xml b/graphdb/janusgraph-rdbms/pom.xml index 663f09cd0c1..80301dac09a 100644 --- a/graphdb/janusgraph-rdbms/pom.xml +++ b/graphdb/janusgraph-rdbms/pom.xml @@ -38,6 +38,10 @@ HikariCP ${HikariCP.version} + + org.apache.atlas + atlas-intg + org.eclipse.persistence eclipselink diff --git a/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java b/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java index ae434c65772..52564526138 100644 --- a/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java +++ b/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java @@ -20,6 +20,8 @@ import com.zaxxer.hikari.HikariConfig; import com.zaxxer.hikari.HikariDataSource; +import org.apache.atlas.ApplicationProperties; +import org.apache.atlas.AtlasException; import org.eclipse.persistence.config.PersistenceUnitProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -62,6 +64,7 @@ public class DaoManager { private static final Logger LOG = LoggerFactory.getLogger(DaoManager.class); private final EntityManagerFactory emFactory; + private static final String HIKARI_PASSWORD_KEY = "atlas.graph.storage.rdbms.jpa.hikari.password"; /** * @@ -78,6 +81,16 @@ public DaoManager(Map jpaConfig) { if (value != null) { if (key.startsWith("hikari.")) { + if ("hikari.password".equals(key)) { + try { + String decrypted = ApplicationProperties.getDecryptedPassword(ApplicationProperties.get(), HIKARI_PASSWORD_KEY); + if (decrypted != null) { + value = decrypted; + } + } catch (AtlasException e) { + LOG.error("Error in getting secure password ", e); + } + } hikariConfig.put(key.substring("hikari".length() + 1), value.toString()); } else { config.put(key, value.toString()); diff --git a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java index a1c799de38a..7fd026d60ca 100644 --- a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java +++ b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java @@ -67,7 +67,7 @@ public final class ApplicationProperties extends PropertiesConfiguration { public static final String AD = "AD"; public static final String LDAP_AD_BIND_PASSWORD = "atlas.authentication.method.ldap.ad.bind.password"; public static final String LDAP_BIND_PASSWORD = "atlas.authentication.method.ldap.bind.password"; - public static final String MASK_LDAP_PASSWORD = "********"; + public static final String MASK_PASSWORD = "********"; public static final String DEFAULT_GRAPHDB_BACKEND = GRAPHBD_BACKEND_JANUS; public static final boolean DEFAULT_SOLR_WAIT_SEARCHER = false; public static final boolean DEFAULT_INDEX_MAP_NAME = false; @@ -342,7 +342,7 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) { if (ldapType.equalsIgnoreCase(LDAP)) { String maskPasssword = configuration.getString(LDAP_BIND_PASSWORD); - if (MASK_LDAP_PASSWORD.equals(maskPasssword)) { + if (MASK_PASSWORD.equals(maskPasssword)) { String password = SecurityUtil.getPassword(configuration, LDAP_BIND_PASSWORD, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH); configuration.clearProperty(LDAP_BIND_PASSWORD); @@ -351,7 +351,7 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) { } else if (ldapType.equalsIgnoreCase(AD)) { String maskPasssword = configuration.getString(LDAP_AD_BIND_PASSWORD); - if (MASK_LDAP_PASSWORD.equals(maskPasssword)) { + if (MASK_PASSWORD.equals(maskPasssword)) { String password = SecurityUtil.getPassword(configuration, LDAP_AD_BIND_PASSWORD, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH); configuration.clearProperty(LDAP_AD_BIND_PASSWORD); @@ -364,6 +364,20 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) { } } + public static String getDecryptedPassword(Configuration configuration, String propertyKey) { + String configuredValue = configuration != null ? configuration.getString(propertyKey) : null; + + if (configuredValue != null && MASK_PASSWORD.equals(configuredValue)) { + try { + return SecurityUtil.getPassword(configuration, propertyKey, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH); + } catch (Exception e) { + LOG.error("Error in getting secure password ", e); + } + } + + return configuredValue; + } + private void setDefaults() { AtlasRunMode runMode = AtlasRunMode.valueOf(getString(ATLAS_RUN_MODE, DEFAULT_ATLAS_RUN_MODE.name()));