Repository: hadoop Updated Branches: refs/heads/branch-2 00ff3d737 -> d4501ad0d
HADOOP-13441. Document LdapGroupsMapping keystore password properties. Contributed by Yuanbo Liu. (cherry picked from commit d892ae9576d07d01927443b6dc6c934a6c2f317f) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d4501ad0 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d4501ad0 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d4501ad0 Branch: refs/heads/branch-2 Commit: d4501ad0d874b397487f2e428ba79c814b18accc Parents: 00ff3d7 Author: Wei-Chiu Chuang <weic...@apache.org> Authored: Thu Aug 11 11:57:20 2016 -0700 Committer: Wei-Chiu Chuang <weic...@apache.org> Committed: Thu Aug 11 11:58:18 2016 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/conf/Configuration.java | 5 +- .../fs/CommonConfigurationKeysPublic.java | 26 ++++++++ .../alias/AbstractJavaKeyStoreProvider.java | 4 +- .../security/alias/CredentialProvider.java | 6 +- .../alias/CredentialProviderFactory.java | 3 +- .../src/main/resources/core-default.xml | 64 ++++++++++++++++++-- .../src/site/markdown/CredentialProviderAPI.md | 2 +- .../src/site/markdown/GroupsMapping.md | 6 +- 8 files changed, 104 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java index f016119..a9675bf 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java @@ -78,6 +78,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.CommonConfigurationKeys; @@ -1997,7 +1998,9 @@ public class Configuration implements Iterable<Map.Entry<String,String>>, */ protected char[] getPasswordFromConfig(String name) { char[] pass = null; - if (getBoolean(CredentialProvider.CLEAR_TEXT_FALLBACK, true)) { + if (getBoolean(CredentialProvider.CLEAR_TEXT_FALLBACK, + CommonConfigurationKeysPublic. + HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK_DEFAULT)) { String passStr = get(name); if (passStr != null) { pass = passStr.toCharArray(); http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java index c878c11..76e0842 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java @@ -740,5 +740,31 @@ public class CommonConfigurationKeysPublic { "hadoop.http.logs.enabled"; /** Defalt value for HADOOP_HTTP_LOGS_ENABLED */ public static final boolean HADOOP_HTTP_LOGS_ENABLED_DEFAULT = true; + + /** + * @see + * <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml"> + * core-default.xml</a> + */ + public static final String HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH = + "hadoop.security.credential.provider.path"; + + /** + * @see + * <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml"> + * core-default.xml</a> + */ + public static final String HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK = + "hadoop.security.credential.clear-text-fallback"; + public static final boolean + HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK_DEFAULT = true; + + /** + * @see + * <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml"> + * core-default.xml</a> + */ + public static final String HADOOP_SECURITY_CREDENTIAL_PASSWORD_FILE_KEY = + "hadoop.security.credstore.java-keystore-provider.password-file"; } http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java index 335c198..8e4a0a5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java @@ -22,6 +22,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.fs.Path; import org.apache.hadoop.security.ProviderUtils; @@ -64,7 +65,8 @@ public abstract class AbstractJavaKeyStoreProvider extends CredentialProvider { public static final String CREDENTIAL_PASSWORD_ENV_VAR = "HADOOP_CREDSTORE_PASSWORD"; public static final String CREDENTIAL_PASSWORD_FILE_KEY = - "hadoop.security.credstore.java-keystore-provider.password-file"; + CommonConfigurationKeysPublic. + HADOOP_SECURITY_CREDENTIAL_PASSWORD_FILE_KEY; public static final String CREDENTIAL_PASSWORD_DEFAULT = "none"; private Path path; http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProvider.java index f38a61a..8354054 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProvider.java @@ -23,6 +23,7 @@ import java.util.List; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; /** * A provider of credentials or password for Hadoop applications. Provides an @@ -33,8 +34,9 @@ import org.apache.hadoop.classification.InterfaceStability; @InterfaceAudience.Public @InterfaceStability.Unstable public abstract class CredentialProvider { - public static final String CLEAR_TEXT_FALLBACK - = "hadoop.security.credential.clear-text-fallback"; + public static final String CLEAR_TEXT_FALLBACK = + CommonConfigurationKeysPublic. + HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK; /** * The combination of both the alias and the actual credential value. http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java index 0c9c21f..3c3f79f 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java @@ -28,6 +28,7 @@ import java.util.ServiceLoader; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; /** * A factory to create a list of CredentialProvider based on the path given in a @@ -38,7 +39,7 @@ import org.apache.hadoop.conf.Configuration; @InterfaceStability.Unstable public abstract class CredentialProviderFactory { public static final String CREDENTIAL_PROVIDER_PATH = - "hadoop.security.credential.provider.path"; + CommonConfigurationKeysPublic.HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH; public abstract CredentialProvider createProvider(URI providerName, Configuration conf http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index bf92720..7851632 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -250,10 +250,52 @@ <name>hadoop.security.group.mapping.ldap.ssl.keystore.password.file</name> <value></value> <description> - The path to a file containing the password of the LDAP SSL keystore. + The path to a file containing the password of the LDAP SSL keystore. If + the password is not configured in credential providers and the property + hadoop.security.group.mapping.ldap.ssl.keystore.password is not set, + LDAPGroupsMapping reads password from the file. IMPORTANT: This file should be readable only by the Unix user running - the daemons. + the daemons and should be a local file. + </description> +</property> + +<property> + <name>hadoop.security.group.mapping.ldap.ssl.keystore.password</name> + <value></value> + <description> + The password of the LDAP SSL keystore. this property name is used as an + alias to get the password from credential providers. If the password can + not be found and hadoop.security.credential.clear-text-fallback is true + LDAPGroupsMapping uses the value of this property for password. + </description> +</property> + +<property> + <name>hadoop.security.credential.clear-text-fallback</name> + <value>true</value> + <description> + true or false to indicate whether or not to fall back to storing credential + password as clear text. The default value is true. This property only works + when the password can't not be found from credential providers. + </description> +</property> + +<property> + <name>hadoop.security.credential.provider.path</name> + <value></value> + <description> + A comma-separated list of URLs that indicates the type and + location of a list of providers that should be consulted. + </description> +</property> + +<property> + <name>hadoop.security.credstore.java-keystore-provider.password-file</name> + <value></value> + <description> + The path to a file containing the custom password for all keystores + that may be configured in the provider path. </description> </property> @@ -270,10 +312,24 @@ <name>hadoop.security.group.mapping.ldap.bind.password.file</name> <value></value> <description> - The path to a file containing the password of the bind user. + The path to a file containing the password of the bind user. If + the password is not configured in credential providers and the property + hadoop.security.group.mapping.ldap.bind.password is not set, + LDAPGroupsMapping reads password from the file. IMPORTANT: This file should be readable only by the Unix user running - the daemons. + the daemons and should be a local file. + </description> +</property> + +<property> + <name>hadoop.security.group.mapping.ldap.bind.password</name> + <value></value> + <description> + The password of the bind user. this property name is used as an + alias to get the password from credential providers. If the password can + not be found and hadoop.security.credential.clear-text-fallback is true + LDAPGroupsMapping uses the value of this property for password. </description> </property> http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/site/markdown/CredentialProviderAPI.md ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/CredentialProviderAPI.md b/hadoop-common-project/hadoop-common/src/site/markdown/CredentialProviderAPI.md index d6e4ee7..1142372 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/CredentialProviderAPI.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/CredentialProviderAPI.md @@ -96,7 +96,7 @@ In summary, first, provision the credentials into a provider then configure the ##### Supported Features | Feature\Component | Description | Link | |:---- |:---- |:---| -|LDAPGroupsMapping |LDAPGroupsMapping is used to look up the groups for a given user in LDAP. The CredentialProvider API is used to protect the LDAP bind password and those needed for SSL.|TODO| +|LDAPGroupsMapping |LDAPGroupsMapping is used to look up the groups for a given user in LDAP. The CredentialProvider API is used to protect the LDAP bind password and those needed for SSL.|[LDAP Groups Mapping](GroupsMapping.html#LDAP_Groups_Mapping)| |SSL Passwords |FileBasedKeyStoresFactory leverages the credential provider API in order to resolve the SSL related passwords.|TODO| |HDFS |DFSUtil leverages Configuration.getPassword method to use the credential provider API and/or fallback to the clear text value stored in ssl-server.xml.|TODO| |YARN |WebAppUtils uptakes the use of the credential provider API through the new method on Configuration called getPassword. This provides an alternative to storing the passwords in clear text within the ssl-server.xml file while maintaining backward compatibility.|TODO| http://git-wip-us.apache.org/repos/asf/hadoop/blob/d4501ad0/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md b/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md index f2e04b9..b6dac85 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md @@ -99,8 +99,10 @@ If the LDAP server supports POSIX group semantics (RFC-2307), Hadoop can perform ### SSL ### To secure the connection, the implementation supports LDAP over SSL (LDAPS). SSL is enable by setting `hadoop.security.group.mapping.ldap.ssl` to `true`. -In addition, specify the path to the keystore file for SSL connection in `hadoop.security.group.mapping.ldap.ssl.keystore` and keystore password in `hadoop.security.group.mapping.ldap.ssl.keystore.password`. -Alternatively, store the keystore password in a file, and point `hadoop.security.group.mapping.ldap.ssl.keystore.password.file` to that file. For security purposes, this file should be readable only by the Unix user running the daemons. +In addition, specify the path to the keystore file for SSL connection in `hadoop.security.group.mapping.ldap.ssl.keystore` and keystore password in `hadoop.security.group.mapping.ldap.ssl.keystore.password`, at the same time, make sure `hadoop.security.credential.clear-text-fallback` is true. +Alternatively, store the keystore password in a file, and point `hadoop.security.group.mapping.ldap.ssl.keystore.password.file` to that file. +For security purposes, this file should be readable only by the Unix user running the daemons, and for preventing recursive dependency, this file should be a local file. +The first approach aka using `hadoop.security.group.mapping.ldap.ssl.keystore.password` is highly discouraged because it exposes the password in the configuration file. ### Low latency group mapping resolution ### Typically, Hadoop resolves a user's group names by making two LDAP queries: the first query gets the user object, and the second query uses the user's Distinguished Name to find the groups. --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
