accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3045) Support AuthenticationToken backed by CredentialProvider
Date Tue, 05 Aug 2014 21:11:12 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14086768#comment-14086768
] 

Christopher Tubbs commented on ACCUMULO-3045:
---------------------------------------------

Yes, thanks, that helps. However, it does limit what kinds of CredentialProviders one can
use. For instance, one can use one that provides them from a distributed service, a file in
HDFS, etc., but one couldn't use one that provides it from the process' environment variables
or from one's local home directory. The reason for this is because the CredentialProviderToken
will get deserialized on the server side (tserver, master) and then resolve the credentials
there, instead of resolving to a PasswordToken and serializing as a static item on the client
side of the RPC.

That is, of course, completely fine, but it leaves a gap for some tool like what I suggested,
and this restriction and behavior should be documented in the release notes, javadocs, etc.

> Support AuthenticationToken backed by CredentialProvider
> --------------------------------------------------------
>
>                 Key: ACCUMULO-3045
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3045
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: client
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.6.1, 1.7.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Along the same lines as ACCUMULO-2464, the MapReduce AuthenticationToken serialization
also has the potential to be stored in a non-secure form. Some of this is mitigated via Base64
the password to remove human-readable-ness, the ability to serialize an AuthenticationToken
to a file, etc.
> Wiring up a CredentialProvider as an AuthenticationToken is another option provided to
us by Hadoop likely to handle tricky security-related concerns for us.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message