accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [1/3] git commit: ACCUMULO-2464 Documentation for how to configure CredentialProviders for sensitive configuration redirection.
Date Fri, 01 Aug 2014 21:16:41 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.6.1-SNAPSHOT fb450ffb2 -> 6d77c2d48
  refs/heads/master db72ba358 -> a66d074db


ACCUMULO-2464 Documentation for how to configure CredentialProviders for sensitive configuration
redirection.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/6d77c2d4
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/6d77c2d4
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/6d77c2d4

Branch: refs/heads/1.6.1-SNAPSHOT
Commit: 6d77c2d48b39768a0d8744365dbd651ea716f28d
Parents: fb450ff
Author: Josh Elser <elserj@apache.org>
Authored: Fri Aug 1 17:05:20 2014 -0400
Committer: Josh Elser <elserj@apache.org>
Committed: Fri Aug 1 17:05:20 2014 -0400

----------------------------------------------------------------------
 .../chapters/administration.tex                 | 48 ++++++++++++++++++++
 1 file changed, 48 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/6d77c2d4/docs/src/main/latex/accumulo_user_manual/chapters/administration.tex
----------------------------------------------------------------------
diff --git a/docs/src/main/latex/accumulo_user_manual/chapters/administration.tex b/docs/src/main/latex/accumulo_user_manual/chapters/administration.tex
index d2a2fcc..78becca 100644
--- a/docs/src/main/latex/accumulo_user_manual/chapters/administration.tex
+++ b/docs/src/main/latex/accumulo_user_manual/chapters/administration.tex
@@ -202,6 +202,8 @@ settings between processes and helps finalize TabletServer failure.
 
 The instance needs a secret to enable secure communication between servers. Configure your
 secret and make sure that the \texttt{accumulo-site.xml} file is not readable to other users.
+For alternatives to storing the \texttt{instance.secret} in plaintext, please read the
+\texttt{Sensitive Configuration Values} section.
 
 Some settings can be modified via the Accumulo shell and take effect immediately, but
 some settings require a process restart to take effect. See the configuration documentation
@@ -213,6 +215,52 @@ Copy the masters, slaves, accumulo-env.sh, and if necessary, accumulo-site.xml
 from the\\\texttt{\$ACCUMULO\_HOME/conf/} directory on the master to all the machines
 specified in the slaves file.
 
+\subsection{Sensitive Configuration Values}
+
+Accumulo has a number of properties that can be specified via the accumulo-site.xml
+file which are sensitive in nature, instance.secret and trace.token.property.password
+are two common examples. Both of these properties, if compromised, have the ability
+to result in data being leaked to users who should not have access to that data.
+
+In Hadoop-2.6.0, a new CredentialProvider class was introduced which serves as a common
+implementation to abstract away the storage and retrieval of passwords from plaintext
+storage in configuration files. Any Property marked with the \texttt{Sensitive} annotation
+is a candidate for use with these CredentialProviders. For version of Hadoop which lack
+these classes, the feature will just be unavailable for use.
+
+A comma separated list of CredentialProviders can be configured using the Accumulo Property
+\texttt{general.security.credential.provider.paths}. Each configured URL will be consulted
+when the Configuration object for accumulo-site.xml is accessed.
+
+\subsection{Using a JavaKeyStoreCredentialProvider for storage}
+
+One of the implementations provided in Hadoop-2.6.0 is a Java KeyStore CredentialProvider.
+Each entry in the KeyStore is the Accumulo Property key name. For example, to store the
+\texttt{instance.secret}, the following command can be used:
+
+\begingroup\fontsize{8pt}{8pt}\selectfont\begin{verbatim}
+hadoop credential create instance.secret --provider jceks://file/etc/accumulo/conf/accumulo.jceks
+\end{verbatim}\endgroup
+
+The command will then prompt you to enter the secret to use and create a keystore in: 
+
+\begingroup\fontsize{8pt}{8pt}\selectfont\begin{verbatim}
+/etc/accumulo/conf/accumulo.jceks
+\end{verbatim}\endgroup
+
+Then, accumulo-site.xml must be configured to use this KeyStore as a CredentialProvider:
+
+\begingroup\fontsize{8pt}{8pt}\selectfont\begin{verbatim}
+<property>
+    <name>general.security.credential.provider.paths</name>
+    <value>jceks://file/etc/accumulo/conf/accumulo.jceks</value>
+</property>
+\end{verbatim}\endgroup
+
+This configuration will then transparently extract the \texttt{instance.secret} from
+the configured KeyStore and alleviates a human readable storage of the sensitive
+property.
+
 \section{Initialization}
 
 Accumulo must be initialized to create the structures it uses internally to locate


Mime
View raw message