hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14063) Hadoop CredentialProvider fails to load list of keystore files
Date Mon, 17 Apr 2017 17:37:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971383#comment-15971383
] 

Yan commented on HADOOP-14063:
------------------------------

The patch breaks the semantics of the keystoreExists() method, including the exception thrown.
Potentially it could break existing callers of the method.

A proper fix, IMHO, could be to 1) carefully differentiate specific permission issues that
need to be addressed for the capability of traversing  multiple keystore files, probably with
addition of some, probably configurable, limitation of the length of the allowed permission
denials to prevent potential hacking attempts; 2) check whether the keyStoreExists() call
could provide such differentiations; 3) if not,  enhance AbstractJavaKeyStoreProvider, probably
plus its subclasses, with a method that can provide this differentiation; 4) enhance the caller
of the KeyStoreProvider dealing with the multiple keystore files to improve the logic so as
to be able to proceed to the next keystore after detecting some exceptions; and/or provide
a new method/subclass in/to the KeyStoreProvider class, to properly handle the multiple keystore
files.

In summary, we should try to fix the problem at the caller side as much as possible, and not
change the semantics of existing methods which would have much wider impact.


> Hadoop CredentialProvider fails to load list of keystore files
> --------------------------------------------------------------
>
>                 Key: HADOOP-14063
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14063
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: ramtin
>            Assignee: ramtin
>         Attachments: HADOOP-14063-001.patch, HADOOP-14063-002.patch
>
>
> The {{hadoop.security.credential.provider.path}} property can be a list of keystore files
like this:
> _jceks://hdfs/file1.jceks,jceks://hdfs/file2.jceks,jceks://hdfs/file3.jceks ..._
> Each file can have different permissions set to limit the users that have access to the
keys.  Some users may not have access to all the keystore files.
> Each keystore file in the list should be tried until one is found with the key needed.

> Currently it will throw an exception if one of the keystore files cannot be loaded instead
of continuing to try the next one in the list.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message