[
https://issues.apache.org/jira/browse/HADOOP-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15859673#comment-15859673
]
Larry McCay commented on HADOOP-14063:
--------------------------------------
Hi [~ramtinb] - This is a good improvement.
I was aware that this was possible but it seemed like the setting of the
provider path was lining up properly in practice.
Once concern that I have about this is that there is no distinction between
permissions blocking the interrogation of and the credential not existing. I
think it would be better to at least log that a search for a credential was not
possible due to file permissions on a given provider within the path.
Otherwise, a user may be inclined to add the credential again.
Maybe when you check file.canRead() is a good place to do this?
What do you think?
> Hadoop CredentialProvider fails to load list of keystore files
> --------------------------------------------------------------
>
> Key: HADOOP-14063
> URL: https://issues.apache.org/jira/browse/HADOOP-14063
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: ramtin
> Assignee: ramtin
> Attachments: HADOOP-14063-001.patch
>
>
> The {{hadoop.security.credential.provider.path}} property can be a list of
> keystore files like this:
> _jceks://hdfs/file1.jceks,jceks://hdfs/file2.jceks,jceks://hdfs/file3.jceks
> ..._
> Each file can have different permissions set to limit the users that have
> access to the keys. Some users may not have access to all the keystore files.
> Each keystore file in the list should be tried until one is found with the
> key needed.
> Currently it will throw an exception if one of the keystore files cannot be
> loaded instead of continuing to try the next one in the list.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
