hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9534) Credential Management Framework (CMF)
Date Tue, 30 Jul 2013 20:45:52 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13724389#comment-13724389

Hadoop QA commented on HADOOP-9534:

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 2 new or modified
test files.

      {color:red}-1 javac{color}.  The applied patch generated 1193 javac compiler warnings
(more than the trunk's current 1152 warnings).

    {color:red}-1 javadoc{color}.  The javadoc tool appears to have generated 11 warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new Findbugs (version
1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in hadoop-common-project/hadoop-cmf.

    {color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/2886//testReport/
Javac warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/2886//artifact/trunk/patchprocess/diffJavacWarnings.txt
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/2886//console

This message is automatically generated.
> Credential Management Framework (CMF)
> -------------------------------------
>                 Key: HADOOP-9534
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9534
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Larry McCay
>              Labels: patch
>         Attachments: 0001-HADOOP-9534-Credential-Management-Framework-initial-.patch,
0002-HADOOP-9534-Credential-Management-Framework-second-iteration-.patch, HADOOP-9534.patch,
>   Original Estimate: 504h
>  Remaining Estimate: 504h
> The credential management framework consists of library for securing, acquiring and rolling
credentials for a given Hadoop service.
> Specifically the library will provide:
> 1. Password Indirection or Aliasing
> 2. Management of identity and trust keystores
> 3. Rolling of key pairs and credentials
> 4. Discovery of externally provisioned credentials
> 5. Service specific CMF secret protection
> 6. Syntax for Aliases within configuration files
> Password Indirection or Aliasing:
> By providing alias based access to actual secrets stored within a service specific JCEKS
keystore, we are able to eliminate the need for any secret to be stored in clear text on the
filesystem. This is a current redflag during security reviews for many customers.
> Management of Identity and Trust Keystores:
> Service specific identity and trust keystores will be managed by a combination of the
HSSO service and CMF. 
> Upon registration with the HSSO service a dependent service will be able discover externally
provisioned keystores or have them created by the HSSO service on its behalf. The public key
of the HSSO service will be provided to the service to be imported into its service specific
trust store.
> Service specific keystores and credential stores will be protected with the service specific
CMF secret.
> Rolling of Keypairs and Credentials:
> The ability to automate the rolling of PKI keypairs and credentials provide the services
a common facility for discovering new HSSO public keys and the need and means to roll their
own credentials while being able to retain a number of previous values (as needed).
> Discovery of Externally Provisioned Credentials:
> For environments that want control over the certificate generation and provisioning,
CMF provides the ability to discover preprovisioned artifacts based on naming conventions
of the artifacts and the use of the service specific CMF secret to access the credentials
within the keystores.
> Service Specific CMF Secret Protection:
> By providing a common facility to prompt for and optionally persist a service specific
CMF secret at service installation/startup, we enable the ability to protect all the service
specific security artifacts with this protected secret. It is protected with a combination
of AES 128 bit encryption and file permissions set for only the service specific OS user.
> Syntax for Aliases within configuration files:
> In order to facilitate the use of aliases but also preserve backward compatibility of
config files, we will introduce a syntax for marking a value in a configuration file as an
alias. A getSecret(String value) type utility method will encapsulate the recognition and
parsing of an alias and the retrieval from CMF or return the provided value as the password.
> For instance, if a properties file were to require a password to be provided instead
> passwd=supersecret
> we would provide an alias as such:
> passwd=${ALIAS=supersecret}
> At runtime, the value from the properties file is provided to the CMF.getSecret(value)
method and it either resolves the alias (where it finds the alias syntax) or returns the value
(when there is no alias syntax).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message