[
https://issues.apache.org/jira/browse/HADOOP-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15822042#comment-15822042
]
John Zhuge commented on HADOOP-13987:
-------------------------------------
In the SSLFactory constructor, a new Configuration "sslConf" that only reads
"ssl-client.xml" or "ssl-server.xml" is passed to FileBasedKeyStoresFactory
which calls Configuration.getPassword() to initialize, but "sslConf" does not
contain the property "hadoop.security.credential.provider.path" because it is
usually added to "core-site.xml" or component site xml.
{code:title=SSLFactory(Mode mode, Configuration conf)}
Configuration sslConf = readSSLConfiguration(mode);
Class<? extends KeyStoresFactory> klass
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
{code}
{code:title=Configuration readSSLConfiguration(Mode mode)}
Configuration sslConf = new Configuration(false);
sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, requireClientCert);
String sslConfResource;
if (mode == Mode.CLIENT) {
sslConfResource = conf.get(SSL_CLIENT_CONF_KEY,
SSL_CLIENT_CONF_DEFAULT);
} else {
sslConfResource = conf.get(SSL_SERVER_CONF_KEY,
SSL_SERVER_CONF_DEFAULT);
}
sslConf.addResource(sslConfResource);
return sslConf;
{code}
Backtrace for "hadoop key list":
* getProviders:76, CredentialProviderFactory {org.apache.hadoop.security.alias}
* getPasswordFromCredentialProviders:2048, Configuration
{org.apache.hadoop.conf}
* getPassword:2027, Configuration {org.apache.hadoop.conf}
* getPassword:240, FileBasedKeyStoresFactory {org.apache.hadoop.security.ssl}
* init:203, FileBasedKeyStoresFactory {org.apache.hadoop.security.ssl}
* init:187, SSLFactory {org.apache.hadoop.security.ssl}
* :442, KMSClientProvider {org.apache.hadoop.crypto.key.kms}
* createProvider:350, KMSClientProvider$Factory
{org.apache.hadoop.crypto.key.kms}
* createProvider:341, KMSClientProvider$Factory
{org.apache.hadoop.crypto.key.kms}
* get:96, KeyProviderFactory {org.apache.hadoop.crypto.key}
* getProviders:68, KeyProviderFactory {org.apache.hadoop.crypto.key}
* getKeyProvider:181, KeyShell$Command {org.apache.hadoop.crypto.key}
* validate:230, KeyShell$ListCommand {org.apache.hadoop.crypto.key}
* run:71, CommandShell {org.apache.hadoop.tools}
* run:76, ToolRunner {org.apache.hadoop.util}
* main:478, KeyShell {org.apache.hadoop.crypto.key}
SSLFactory is created by:
* LogLevel
* Fetcher
* KMSClientProvider (used by "hadoop key" command)
* URLConnectionFactory
* ShuffleHandler
* TimelineClientImpl
* DatanodeHttpServer
> Enhance SSLFactory support for Credential Provider
> --------------------------------------------------
>
> Key: HADOOP-13987
> URL: https://issues.apache.org/jira/browse/HADOOP-13987
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: John Zhuge
> Assignee: John Zhuge
>
> Testing CredentialProvider with KMS: populated the credentials file, added
> "hadoop.security.credential.provider.path" to core-site.xml, but "hadoop key
> list" failed due to incorrect password. So I added
> "hadoop.security.credential.provider.path" to ssl-client.xml, "hadoop key
> list" worked!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
