[DSIP] [Security] Support using encryption algorithms to encrypt the passwords entered by users in DS.

[hdygxsj]

Search before asking

• I had searched in the DSIP and found no similar DSIP.

Motivation

In DolphinScheduler, many places require the maintenance of various passwords, such as passwords in the data source center, and passwords for catalogs and databases within SQLs. Some companies have mandatory requirements for the encryption algorithms used in software, and there may even be a need to use internal encryption algorithms specific to the company. This DSIP can enhance the security of DolphinScheduler.

Design Detail

Common cryptographic algorithms include hash (digest) algorithms and symmetric encryption algorithms, among others. Hash algorithms are primarily used for verifying user login passwords, while symmetric encryption algorithms are used for encrypting and decrypting database passwords entered by users, as well as passwords in the DS configuration files. I will divide this DSIP into the following steps:

• 1. Introduce a cryptography plugin.
  The Plugin includes an API module and implementation modules. The API module defines interfaces for various cryptographic algorithms, such as hash (digest) algorithms and asymmetric encryption algorithms.
• 2. Add an MD5 implementation for the digest algorithm interface.
• 3. Add an Sm3 implementation for the digest algorithm interface.
• 4. Add an Sm4 implementation for the symmetric encryption algorithm interface.
• 5. Add an AES implementation for the symmetric encryption algorithm interface.
• 6. Add bootsrap.yaml to allow users to configure the encryption algorithms they want to use.
• 7. Support the use of symmetric ciphertext in configuration files such as application.yaml, common.yaml, and environment variables, and use symmetric encryption algorithms to decrypt when retrieving these configurations.
• 8. The passwords in data source configurations should be modified to use ciphertext stored in the database, and decrypted upon query.
• 9. Passwords for tasks that require configuration should be encrypted and then saved in the database.
• 10. Remove the DML statements for initializing users, and during the startup of Dolphin Scheduler, check if there is an initial user. If there is no initial user, initialize the user using the hash algorithm configured by the user, and modify the hash algorithm used for login.

Compatibility, Deprecation, and Migration Plan

After user modify the login encryption algorithm, users will need to update the password ciphertext in the database.

Test Plan

Step 2, 3, 4, and 5 require new unit tests to be added, and Step 6, 7, 8, 9, and 10 need to ensure that existing unit test cases pass.

Code of Conduct

• I agree to follow this project's Code of Conduct

[SbloodyS]

Some companies have mandatory requirements for the encryption algorithms used in software, and there may even be a
need to use internal encryption algorithms specific to the company.

This sounds like an in-house customization requirement, not an open source project. So I'm -1 on this.