hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications
Date Tue, 22 Jul 2014 17:50:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14070577#comment-14070577
] 

Alejandro Abdelnur commented on HADOOP-10607:
---------------------------------------------

Owen, 

Apologies, I didn’t mean to puzzle you with my puzzling (smile).

hadoop-auth started outside of Hadoop as Alfredo. The initial use cases where for Hadoop itself
and Oozie and because of that we brought it in.

I see the value in the CredentialProvider, I just don’t see a concrete use in Hadoop at
the moment other than we could use it for this or that, but we are not using for anything.

Until we have a concrete usecase, I think we should keep it in trunk.

Larry,

In its current form, the CredentialProvider implementations are not really useful as it is
not a service and it cannot be used by an app running in the cluster, right? Or am I missing
something?

That was the case with the KeyProvider and that is why I took on the KMS work and now we are
using it for HDFS encryption.


> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0, 2.6.0
>
>         Attachments: 10607-10.patch, 10607-11.patch, 10607-12.patch, 10607-2.patch, 10607-3.patch,
10607-4.patch, 10607-5.patch, 10607-6.patch, 10607-7.patch, 10607-8.patch, 10607-9.patch,
10607-branch-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support multiple
credential storage mechanisms that are potentially from third parties. 
> We need the ability to eliminate the storage of passwords and secrets in clear text within
configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders.
The implementation will look for implementations using the ServiceLoader interface and thus
support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce
jobs and the other using Java KeyStores from either HDFS or local file system. 
> A CredShell CLI will also be included in this patch which provides the ability to manage
the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message