Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5536E19779 for ; Fri, 25 Mar 2016 19:29:26 +0000 (UTC) Received: (qmail 86151 invoked by uid 500); 25 Mar 2016 19:29:26 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 86103 invoked by uid 500); 25 Mar 2016 19:29:26 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 86052 invoked by uid 99); 25 Mar 2016 19:29:26 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Mar 2016 19:29:25 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 906532C1F6A for ; Fri, 25 Mar 2016 19:29:25 +0000 (UTC) Date: Fri, 25 Mar 2016 19:29:25 +0000 (UTC) From: "Mike Yoder (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-12942) hadoop credential commands non-obviously use password of "none" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-12942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15212291#comment-15212291 ] Mike Yoder commented on HADOOP-12942: ------------------------------------- At last, a patch. I fixed both the KeyShell and CredentialShell, since they have the same problem. I also noticed that the CredentialShell threw an NPE with the "-help" commands, so I fixed that while I was in there. The new code will prompt for the password for the provider if one is needed, and it will also accept "-password xxx" on the command line. Note that there is a backwards compatibility issue here: the user has to give a password where none was required before. I don't see a way around this, however, since not having a real password was the root cause of this bug. I did set it up so that if the user just hits 'enter' (no password) when prompted, the default "none" is used instead, which is the prior behavior. > hadoop credential commands non-obviously use password of "none" > --------------------------------------------------------------- > > Key: HADOOP-12942 > URL: https://issues.apache.org/jira/browse/HADOOP-12942 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Mike Yoder > Assignee: Mike Yoder > Attachments: HADOOP-12942.001.patch > > > The "hadoop credential create" command, when using a jceks provider, defaults to using the value of "none" for the password that protects the jceks file. This is not obvious in the command or in documentation - to users or to other hadoop developers - and leads to jceks files that essentially are not protected. > In this example, I'm adding a credential entry with name of "foo" and a value specified by the password entered: > {noformat} > # hadoop credential create foo -provider localjceks://file/bar.jceks > Enter password: > Enter password again: > foo has been successfully created. > org.apache.hadoop.security.alias.LocalJavaKeyStoreProvider has been updated. > {noformat} > However, the password that protects the file bar.jceks is "none", and there is no obvious way to change that. The practical way of supplying the password at this time is something akin to > {noformat} > HADOOP_CREDSTORE_PASSWORD=credpass hadoop credential create --provider ... > {noformat} > That is, stuffing HADOOP_CREDSTORE_PASSWORD into the environment of the command. > This is more than a documentation issue. I believe that the password ought to be _required_. We have three implementations at this point, the two JavaKeystore ones and the UserCredential. The latter is "transient" which does not make sense to use in this context. The former need some sort of password, and it's relatively easy to envision that any non-transient implementation would need a mechanism by which to protect the store that it's creating. > The implementation gets interesting because the password in the AbstractJavaKeyStoreProvider is determined in the constructor, and changing it after the fact would get messy. So this probably means that the CredentialProviderFactory should have another factory method like the first that additionally takes the password, and an additional constructor exist in all the implementations that takes the password. > Then we just ask for the password in getCredentialProvider() and that gets passed down to via the factory to the implementation. The code does have logic in the factory to try multiple providers, but I don't really see how multiple providers would be rationaly be used in the command shell context. > This issue was brought to light when a user stored credentials for a Sqoop action in Oozie; upon trying to figure out where the password was coming from we discovered it to be the default value of "none". -- This message was sent by Atlassian JIRA (v6.3.4#6332)