hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15157) Zookeeper authentication related properties to support CredentialProviders
Date Thu, 04 Jan 2018 16:57:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16311646#comment-16311646

Larry McCay commented on HADOOP-15157:

Hi [~grepas] - this is a good idea.
Couple comments/questions:

1. The general implementation pattern doesn't have the URIs set as the param value as far
as I know - I would have expected to either use the same credential.provider.path property
to have a credential store for zkAuth or to have a separate property for zkAuth credential
providers path and no value set for the property itself. The latter usually only needed when
the global path would be inappropriate for the usage at hand. Having to set the URI at the
individual property level could lead to a proliferation of credential stores and/or difficulty
in keeping redundant URIs in sync across multiple properties.
2. I am missing where you are setting the value as the credential.provider.path in conf so
that conf.getPassword will find it (maybe it is there and I am just not seeing it)
3. it appears that ZKUtil.BadAuthFormatException is also thrown from getZKAuthInfos but is
missing from javadoc (was previously as well)
4. credential provider docs would also need to be updated to reflect this new usage - see

> Zookeeper authentication related properties to support CredentialProviders
> --------------------------------------------------------------------------
>                 Key: HADOOP-15157
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15157
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gergo Repas
>            Assignee: Gergo Repas
>            Priority: Minor
>         Attachments: HADOOP-15157.000.patch
> The hadoop.zk.auth and ha.zookeeper.auth properties currently support either a plain-text
authentication info (in scheme:value format), or a @/path/to/file notation which points to
a plain-text file.
> This ticket proposes that the value of these properties can also be CredentialProvider
URI-s (such as a jceks or localjceks URI). This allows users to point to an encrypted store
containing the authentication info.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message