[jira] [Commented] (HADOOP-12548) read s3 creds from a Credential Provider

Fri, 12 Feb 2016 15:41:45 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145563#comment-15145563
 ] 

Larry McCay commented on HADOOP-12548:
--------------------------------------

You may be right.
Based on that code, it seems that you should have ended up with a new keystore 
in that location but only if flush() were to be called.

Yes - it seems that the intent is that when you load a provider with a 
potentially valid path that the keystore will be loaded there and available to 
be written to. If you were to do an operation that required a write - such as: 
add or delete a credential then flush would be called to write it to disk.

Configuration.getPassword() does not require a write so it probably never got 
realized on disk.

So in essence, we are seeing the creation of a previously non-existent keystore 
through the JCEKS provider in a valid location within HDFS but it is only in 
memory. We then ask for an alias that does not exist in it and it returns null 
which is the expected behavior. I don't believe that the keystore is being 
written to disk.

If this is a concern then we can take it up in a new JIRA and would have to 
consider the other consumers of the credential provider API as you said - such 
as the credential CLI command. I think throwing an exception at this point 
would affect a bunch of code around protecting SSL related credentials and the 
like and across different projects.

> read s3 creds from a Credential Provider
> ----------------------------------------
>
>                 Key: HADOOP-12548
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12548
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs/s3
>            Reporter: Allen Wittenauer
>            Assignee: Larry McCay
>         Attachments: CredentialProviderAPIforS3FS-002.pdf, 
> HADOOP-12548-01.patch, HADOOP-12548-02.patch, HADOOP-12548-03.patch, 
> HADOOP-12548-04.patch, HADOOP-12548-05.patch, HADOOP-12548-06.patch, 
> HADOOP-12548-07.patch
>
>
> It would be good if we could read s3 creds from a source other than via a 
> java property/Hadoop configuration option



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to