hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications
Date Wed, 14 May 2014 18:29:14 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13997861#comment-13997861
] 

Larry McCay commented on HADOOP-10607:
--------------------------------------

Hi [~tucu00] - I considered this for some time and came to the following conclusions:

1. they serve similar but different purposes and consumers
2. there is no need for versioning for credentials
3. they need to be able to evolve separately
4. they should be able to converge on some shared code for the pluggable providers
5. not all KeyProviders can be used as credential providers
6. credential providers need not add the baggage of the metadata associated with keys
7. we do need to make sure that KeyProviders can be plugged in as CredentialProviders for
when they can serve both purposes

The biggest driver for reusing the KeyProvider API in my mind was #7 and we can address that
with an adapter for when a particular KeyProvider would fit well as a credential provider
as well.

What do you think?

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>
>         Attachments: 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support multiple
credential storage mechanisms that are potentially from third parties. 
> We need the ability to eliminate the storage of passwords and secrets in clear text within
configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders.
The implementation will look for implementations using the ServiceLoader interface and thus
support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce
jobs and the other using Java KeyStores from either HDFS or local file system. 
> A CredShell CLI will also be included in this patch which provides the ability to manage
the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message