[
https://issues.apache.org/jira/browse/HADOOP-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971383#comment-15971383
]
Yan commented on HADOOP-14063:
------------------------------
The patch breaks the semantics of the keystoreExists() method, including the
exception thrown. Potentially it could break existing callers of the method.
A proper fix, IMHO, could be to 1) carefully differentiate specific permission
issues that need to be addressed for the capability of traversing multiple
keystore files, probably with addition of some, probably configurable,
limitation of the length of the allowed permission denials to prevent potential
hacking attempts; 2) check whether the keyStoreExists() call could provide such
differentiations; 3) if not, enhance AbstractJavaKeyStoreProvider, probably
plus its subclasses, with a method that can provide this differentiation; 4)
enhance the caller of the KeyStoreProvider dealing with the multiple keystore
files to improve the logic so as to be able to proceed to the next keystore
after detecting some exceptions; and/or provide a new method/subclass in/to the
KeyStoreProvider class, to properly handle the multiple keystore files.
In summary, we should try to fix the problem at the caller side as much as
possible, and not change the semantics of existing methods which would have
much wider impact.
> Hadoop CredentialProvider fails to load list of keystore files
> --------------------------------------------------------------
>
> Key: HADOOP-14063
> URL: https://issues.apache.org/jira/browse/HADOOP-14063
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: ramtin
> Assignee: ramtin
> Attachments: HADOOP-14063-001.patch, HADOOP-14063-002.patch
>
>
> The {{hadoop.security.credential.provider.path}} property can be a list of
> keystore files like this:
> _jceks://hdfs/file1.jceks,jceks://hdfs/file2.jceks,jceks://hdfs/file3.jceks
> ..._
> Each file can have different permissions set to limit the users that have
> access to the keys. Some users may not have access to all the keystore files.
> Each keystore file in the list should be tried until one is found with the
> key needed.
> Currently it will throw an exception if one of the keystore files cannot be
> loaded instead of continuing to try the next one in the list.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
