ATLAS-5189: Encrypt postgres password

chaitali.borole · chaitali.borole · commit b589f59037a4 · 2026-01-19T17:12:53.000+05:30
diff --git a/graphdb/janusgraph-rdbms/pom.xml b/graphdb/janusgraph-rdbms/pom.xml
@@ -38,6 +38,10 @@
             <artifactId>HikariCP</artifactId>
             <version>${HikariCP.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.atlas</groupId>
+            <artifactId>atlas-intg</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.persistence</groupId>
             <artifactId>eclipselink</artifactId>
diff --git a/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java b/graphdb/janusgraph-rdbms/src/main/java/org/janusgraph/diskstorage/rdbms/dao/DaoManager.java
@@ -20,6 +20,8 @@
 
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
+import org.apache.atlas.ApplicationProperties;
+import org.apache.atlas.AtlasException;
 import org.eclipse.persistence.config.PersistenceUnitProperties;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -62,6 +64,7 @@ public class DaoManager {
     private static final Logger LOG = LoggerFactory.getLogger(DaoManager.class);
 
     private final EntityManagerFactory emFactory;
+    private static final String HIKARI_PASSWORD_KEY = "atlas.graph.storage.rdbms.jpa.hikari.password";
 
     /**
      *
@@ -78,6 +81,16 @@ public DaoManager(Map<String, Object> jpaConfig) {
 
                 if (value != null) {
                     if (key.startsWith("hikari.")) {
+                        if ("hikari.password".equals(key)) {
+                            try {
+                                String decrypted = ApplicationProperties.getDecryptedPassword(ApplicationProperties.get(), HIKARI_PASSWORD_KEY);
+                                if (decrypted != null) {
+                                    value = decrypted;
+                                }
+                            } catch (AtlasException e) {
+                                LOG.error("Error in getting secure password ", e);
+                            }
+                        }
                         hikariConfig.put(key.substring("hikari".length() + 1), value.toString());
                     } else {
                         config.put(key, value.toString());
diff --git a/intg/src/main/java/org/apache/atlas/ApplicationProperties.java b/intg/src/main/java/org/apache/atlas/ApplicationProperties.java
@@ -67,7 +67,7 @@ public final class ApplicationProperties extends PropertiesConfiguration {
     public static final String       AD                               = "AD";
     public static final String       LDAP_AD_BIND_PASSWORD            = "atlas.authentication.method.ldap.ad.bind.password";
     public static final String       LDAP_BIND_PASSWORD               = "atlas.authentication.method.ldap.bind.password";
-    public static final String       MASK_LDAP_PASSWORD               = "********";
+    public static final String       MASK_PASSWORD                    = "********";
     public static final String       DEFAULT_GRAPHDB_BACKEND          = GRAPHBD_BACKEND_JANUS;
     public static final boolean      DEFAULT_SOLR_WAIT_SEARCHER       = false;
     public static final boolean      DEFAULT_INDEX_MAP_NAME           = false;
@@ -342,7 +342,7 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) {
                 if (ldapType.equalsIgnoreCase(LDAP)) {
                     String maskPasssword = configuration.getString(LDAP_BIND_PASSWORD);
 
-                    if (MASK_LDAP_PASSWORD.equals(maskPasssword)) {
+                    if (MASK_PASSWORD.equals(maskPasssword)) {
                         String password = SecurityUtil.getPassword(configuration, LDAP_BIND_PASSWORD, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH);
 
                         configuration.clearProperty(LDAP_BIND_PASSWORD);
@@ -351,7 +351,7 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) {
                 } else if (ldapType.equalsIgnoreCase(AD)) {
                     String maskPasssword = configuration.getString(LDAP_AD_BIND_PASSWORD);
 
-                    if (MASK_LDAP_PASSWORD.equals(maskPasssword)) {
+                    if (MASK_PASSWORD.equals(maskPasssword)) {
                         String password = SecurityUtil.getPassword(configuration, LDAP_AD_BIND_PASSWORD, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH);
 
                         configuration.clearProperty(LDAP_AD_BIND_PASSWORD);
@@ -364,6 +364,20 @@ private static void setLdapPasswordFromKeystore(Configuration configuration) {
         }
     }
 
+    public static String getDecryptedPassword(Configuration configuration, String propertyKey) {
+        String configuredValue = configuration != null ? configuration.getString(propertyKey) : null;
+
+        if (configuredValue != null && MASK_PASSWORD.equals(configuredValue)) {
+            try {
+                return SecurityUtil.getPassword(configuration, propertyKey, HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH);
+            } catch (Exception e) {
+                LOG.error("Error in getting secure password ", e);
+            }
+        }
+
+        return configuredValue;
+    }
+
     private void setDefaults() {
         AtlasRunMode runMode = AtlasRunMode.valueOf(getString(ATLAS_RUN_MODE, DEFAULT_ATLAS_RUN_MODE.name()));
 
