hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13441) Document LdapGroupsMapping keystore password properties
Date Wed, 03 Aug 2016 08:25:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405559#comment-15405559
] 

Wei-Chiu Chuang commented on HADOOP-13441:
------------------------------------------

Hi [~yuanbo], first of all, thanks for contributing the patch. Let's work together to document
these properties better!

* {{hadoop.security.group.mapping.ldap.ssl.keystore.password.file}}, I think it would be more
accurate to state that the path must point to a local file.

* {{hadoop.security.group.mapping.ldap.ssl.keystore.password}}
The code actually works like this: if credential providers are configured, this property is
used as an alias to get the password from credential providers. If the alias can not be found
and if {{hadoop.security.credential.clear-text-fallback}} is true, LDAPGroupsMapping uses
the value of this property for password. If the value is not configured, LDAPGroupsMapping
reads password from the file in {{hadoop.security.group.mapping.ldap.ssl.keystore.password.file}}.

* {{hadoop.security.credential.clear-text-fallback}}
I think it may be more precise to state that when using an alias to find a credential entry,
if it is not found, whether or not to fallback and to use the alias as the configuration property
key and return its value.

* {{hadoop.security.group.mapping.ldap.bind.password}}
I missed this property in the beginning, but
the story here is similar to {{hadoop.security.group.mapping.ldap.ssl.keystore.password}},
except this one is for authentication password with LDAP server.
if credential providers are configured, this property is used as an alias to get the password
from credential providers. If the alias can not be found and if {{hadoop.security.credential.clear-text-fallback}}
is true, LDAPGroupsMapping uses the value of this property for password. If the value is not
configured, LDAPGroupsMapping reads password from the file in {{hadoop.security.group.mapping.ldap.bind.password.file}}.

> Document LdapGroupsMapping keystore password properties
> -------------------------------------------------------
>
>                 Key: HADOOP-13441
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13441
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Wei-Chiu Chuang
>            Assignee: Yuanbo Liu
>            Priority: Minor
>              Labels: documentation
>         Attachments: HADOOP-13441.001.patch, HADOOP-13441.002.patch
>
>
> A few properties are not documented.
> {{hadoop.security.group.mapping.ldap.ssl.keystore.password}}
> This property is used as an alias to get password from credential providers, or, fall
back to using the value as password in clear text. There is also a caveat that credential
providers can not be a HDFS-based file system, as mentioned in HADOOP-11934, to prevent cyclic
dependency issue.
> This should be documented in core-default.xml and GroupsMapping.md
> {{hadoop.security.credential.clear-text-fallback}}
> This property controls whether or not to fall back to storing credential password as
cleartext.
> This should be documented in core-default.xml.
> {{hadoop.security.credential.provider.path}}
> This is mentioned in _CredentialProvider API Guide_, but not in core-default.xml
> The "Supported Features" in _CredentialProvider API Guide_ should link back to GroupsMapping.md#LDAP
Groups Mapping 
> {{hadoop.security.credstore.java-keystore-provider.password-file}}
> This is the password file to protect credential files.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message