hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications
Date Mon, 21 Jul 2014 22:16:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14069417#comment-14069417
] 

Alejandro Abdelnur commented on HADOOP-10607:
---------------------------------------------

[~lmccay], in [HADOOP-10791|https://issues.apache.org/jira/browse/HADOOP-10791?focusedCommentId=14053983&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14053983]
 you commented:

bq. So, how does the signature get validated if it is a randomized secret? It has to be stored
somewhere, no? If the random impl eliminates storing clear text secrets for this then we may
not need the credential api impl after all.

Just to be clear, I'm not opposed to the UserCredentials API. I'm opposed to making it part
of a release and of a public Hadoop API if there is no use in Hadoop itself. If this ends
being the case, their home may be a project that uses it.

Larry, maybe it would help if you explain the current use case for this API and why is convenient
to have it in Hadoop while not being used in Hadoop. In case there such use case?


> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0, 2.6.0
>
>         Attachments: 10607-10.patch, 10607-11.patch, 10607-12.patch, 10607-2.patch, 10607-3.patch,
10607-4.patch, 10607-5.patch, 10607-6.patch, 10607-7.patch, 10607-8.patch, 10607-9.patch,
10607-branch-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support multiple
credential storage mechanisms that are potentially from third parties. 
> We need the ability to eliminate the storage of passwords and secrets in clear text within
configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders.
The implementation will look for implementations using the ServiceLoader interface and thus
support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce
jobs and the other using Java KeyStores from either HDFS or local file system. 
> A CredShell CLI will also be included in this patch which provides the ability to manage
the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message