hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-10607) Create an API to separate Credentials/Password Storage from Applications
Date Wed, 14 May 2014 02:10:15 GMT
Larry McCay created HADOOP-10607:
------------------------------------

             Summary: Create an API to separate Credentials/Password Storage from Applications
                 Key: HADOOP-10607
                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
            Reporter: Larry McCay
            Assignee: Owen O'Malley
             Fix For: 3.0.0


As with the filesystem API, we need to provide a generic mechanism to support multiple key
storage mechanisms that are potentially from third parties. 

An additional requirement for long term data lakes is to keep multiple versions of each key
so that keys can be rolled periodically without requiring the entire data set to be re-written.
Rolling keys provides containment in the event of keys being leaked.

Toward that end, I propose an API that is configured using a list of URLs of KeyProviders.
The implementation will look for implementations using the ServiceLoader interface and thus
support third party libraries.

Two providers will be included in this patch. One using the credentials cache in MapReduce
jobs and the other using Java KeyStores from either HDFS or local file system. 





--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message