[
https://issues.apache.org/jira/browse/HADOOP-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15824533#comment-15824533
]
John Zhuge commented on HADOOP-13987:
-------------------------------------
[[email protected]] Really appreciate you spending precious holiday hours to
indulge me in the discussions :)
bq. From your last comment, it seems that you are proposing the loading of the
centralProps (not sure why this isn't core-site.xml) into the Configuration
object after loading the more specific ssl-MODE.xml which would override the
configured provider path in ssl-MORE.xml with the central provider path and
leave out any ssl specific path for the given server/host.
I think you misunderstood, I proposed to load centralProps (step 4) before
ssl-MODE.xml (step 5). centralProps loads SSL properties from core-site.xml.
The loading precedence can also be described in this ordered list:
# credential provider specified in {{ssl-MODE.xml}}
# clear text in {{ssl-MODE.xml}}
# credential provider from central configuration
# clear text in central configuration
You can see the props/provider in ssl-MODE.xml has a higher precedence over the
props/provider in core-site.xml, provider is higher than clear-text props in
the same config file, AND the clear text props in ssl-MODE.xml higher than the
central cred provider.
Totally agree with you on that the proposal increases the complexity and the
risk of misconfiguration. I am ok with {{Won't Fix}} or better docs if you
don't think the convenience of specifying SSL secrets in one central cred
provider along with other secrets outweighs the downsides.
> Enhance SSLFactory support for Credential Provider
> --------------------------------------------------
>
> Key: HADOOP-13987
> URL: https://issues.apache.org/jira/browse/HADOOP-13987
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: John Zhuge
> Assignee: John Zhuge
>
> Testing CredentialProvider with KMS: populated the credentials file, added
> "hadoop.security.credential.provider.path" to core-site.xml, but "hadoop key
> list" failed due to incorrect password. So I added
> "hadoop.security.credential.provider.path" to ssl-client.xml, "hadoop key
> list" worked!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
