Author: jmaron
Date: Tue Feb 17 17:33:06 2015
New Revision: 1660454
URL: http://svn.apache.org/r1660454
Log:
added section for application security store deployment options
Modified:
incubator/slider/site/trunk/content/docs/security.md
Modified: incubator/slider/site/trunk/content/docs/security.md
URL:
http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/docs/security.md?rev=1660454&r1=1660453&r2=1660454&view=diff
==============================================================================
--- incubator/slider/site/trunk/content/docs/security.md (original)
+++ incubator/slider/site/trunk/content/docs/security.md Tue Feb 17 17:33:06
2015
@@ -254,7 +254,49 @@ They can also be set on the Slider comma
-S java.security.krb5.realm=MINICLUSTER -S
java.security.krb5.kdc=hadoop-kdc
-### Important: Java Cryptography Package
+## Generation and deployment of application keystores/truststores
+Application components may make use of keystores and truststores to establish
secure communications. Given the nature of application deployments in a YARN
cluster and the lack of certainty concerning the nodemanager host on which a
component container may be spawned, Slider provides the facility for creating
and deploying the keystores and truststores that may be required.
+
+The process of enabling application keystore/truststore generation and
deployment is:
+
+* Set the "slider.component.security.stores.required" property to "true".
This property can be set as a global property (indicating all components
require stores) or can be set/overridden at the component level to selectively
enable store generation for a given component.
+* Specify the password property for the component keystore or truststore or,
+* Specify the property providing the alias that references a credential
managed by the Hadoop Credential Provider. This credential provides the
password for securing the keystore/truststore.
+
+### Specifying a keystore/truststore password
+Applications that make use of a keystore and/or truststore may already have
configuration properties that reference the value for the password used to
secure the given certificate store. In those instances the application
configuration can reference the value of the password property in the component
specific configuration section:
+
+ "APP_COMPONENT": {
+ "slider.component.security.stores.required": "true",
+ "slider.component.keystore.password.property":
"site.myapp-site.app_component.keystore.password"
+ }
+
+In this example:
+
+* The store required property is set to "true" for the APP_COMPONENT component
+* The application has a property in its site configuration file named
"app_component.keystore.password". This property is specified in the appConfig
file's global section (with the "site.myapp-site" prefix), and is referenced
here to indicate to Slider which application property provides the store
password.
+
+### Specifying a keystore/truststore Credential Provider alias
+Applications that utilize the Credenfial Provider API to retrieve application
passwords can specify the following configuration:
+
+* Indicate the credential storage path in the "credentials" section of the app
configuration file:
+
+ "credentials": {
+ "jceks://hdfs/user/${USER}/myapp.jceks":
["app_component.keystore.password.alias"]
+ }
+
+If you specify a list of aliases and are making use of the Slider CLI for
application deployment, you will be prompted to enter a value for the passwords
specified if no password matching a configured alias is found in the credential
store. However, any mechanism available for pre-populating the credential
store may be utilized.
+
+* Reference the alias to use for securing the keystore/truststore in the
component's configuraton section:
+
+ "APP_COMPONENT": {
+ "slider.component.security.stores.required": "true",
+ "slider.component.keystore.credential.alias.property":
"app_component.keystore.password.alias"
+ }
+
+At runtime, Slider will read the credential mapped to the alias (in this case,
"app_component.keystore.password.alias"), and leverage the password stored to
secure the generated keystore.
+
+## Important: Java Cryptography Package
When trying to talk to a secure, cluster you may see the message:
@@ -267,7 +309,6 @@ from Oracle (or other supplier of the JV
its accompanying instructions.
-
## Useful Links
1. [Adding Security to Apache
Hadoop](http://hortonworks.com/wp-content/uploads/2011/10/security-design_withCover-1.pdf)
