[jira] [Commented] (HADOOP-13987) Enhance SSLFactory support for Credential Provider

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15824188#comment-15824188
 ] 

Larry McCay commented on HADOOP-13987:
--------------------------------------

[~jzhuge] - Sorry, I am not quite following what you are proposing here or 
why...

>From your last comment, it seems that you are proposing the loading of the 
>centralProps (not sure why this isn't core-site.xml) into the Configuration 
>object after loading the more specific ssl-MODE.xml which would override the 
>configured provider path in ssl-MORE.xml with the central provider path and 
>leave out any ssl specific path for the given server/host.

Let's step back and rearticulate what the value proposition is for this 
change...
We'd like to be able to use the centrally configured core-site.xml provider 
path rather than force folks and management tooling to know that SSL secrets 
have their own config files for such properties. At the same time, we need to 
continue to support the more specific configuration of SSL config files as 
overrides for a globally configured provider path.

If you are considering this separate centralProps as a means to not pull in 
unneeded config elements than I understand the intent but also feel that it 
will be a brittle integration across the config spaces.

Personally, I don't know that the value proposition outweighs the risk of 
misconfiguration.
We may more effectively address your pain point of not knowing to configure it 
within the ssl-MODE.xml with better documentation than try and mix the 
configurations.

> Enhance SSLFactory support for Credential Provider
> --------------------------------------------------
>
>                 Key: HADOOP-13987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13987
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>
> Testing CredentialProvider with KMS: populated the credentials file, added 
> "hadoop.security.credential.provider.path" to core-site.xml, but "hadoop key 
> list" failed due to incorrect password. So I added 
> "hadoop.security.credential.provider.path" to ssl-client.xml, "hadoop key 
> list" worked! 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org