hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2373) WebAppUtils Should Use configuration.getPassword for Accessing SSL Passwords
Date Fri, 08 Aug 2014 15:02:13 GMT

    [ https://issues.apache.org/jira/browse/YARN-2373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090840#comment-14090840

Larry McCay commented on YARN-2373:

Hi [~vvasudev] - thanks for the review and the good questions:

bq. 1. For the null case(where the WebAppUtils.getPassword() returns null), should we add
a warning or an audit log that someone was trying to get a password that was null?

There was no such log or audit record in that case before adding the additional check for
an alias in credential provider - so I didn't add anything new for it. It probably would be
a good idea to do so - I don't know that this change makes it any more necessary though. Your
question raises an interesting point for the Configuration.getPassword implementation though.
I think that it would make sense to log a failure to get a password if there is no provisioned
alias and it is configured to not allow fallback to config. We don't currently do that - it
will just return null. I think we should file a separate jira for that.

bq. 2. Will you update documentation in another ticket(just to let users know that they can
use a CredentialProvider instead of using plain text)?

We could do that. There is a jira for adding credential provider api documentation already
are you thinking that it needs to have YARN specific documentation as well?

bq. Missed one more question - are you taking care of changes to ssl-client.xml as well?

This is a good point. I will have to track down those usages as well and file separate jiras.

Are any of these questions/answers blockers for this patch?

Thanks again for the review!

> WebAppUtils Should Use configuration.getPassword for Accessing SSL Passwords
> ----------------------------------------------------------------------------
>                 Key: YARN-2373
>                 URL: https://issues.apache.org/jira/browse/YARN-2373
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Larry McCay
>         Attachments: YARN-2373.patch, YARN-2373.patch, YARN-2373.patch
> As part of HADOOP-10904, this jira represents a change to WebAppUtils to uptake the use
of the credential provider API through the new method on Configuration called getPassword.
> This provides an alternative to storing the passwords in clear text within the ssl-server.xml
file while maintaining backward compatibility with that behavior.

This message was sent by Atlassian JIRA

View raw message