[
https://issues.apache.org/jira/browse/HADOOP-18066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chao Sun updated HADOOP-18066:
------------------------------
Fix Version/s: (was: 3.3.2)
> AbstractJavaKeyStoreProvider: need a way to read credential store password
> from Configuration
> ---------------------------------------------------------------------------------------------
>
> Key: HADOOP-18066
> URL: https://issues.apache.org/jira/browse/HADOOP-18066
> Project: Hadoop Common
> Issue Type: Wish
> Components: security
> Reporter: László Bodor
> Priority: Major
> Labels: pull-request-available
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Codepath in focus is
> [this|https://github.com/apache/hadoop/blob/c3006be516ce7d4f970e24e7407b401318ceec3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java#L316]
> {code}
> password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR,
> conf.get(CREDENTIAL_PASSWORD_FILE_KEY));
> {code}
> Since HIVE-14822, we can use custom keystore that Hiveserver2 propagates to
> jobs/tasks of different execution engines (mr, tez, spark).
> We're able to pass any "jceks:" url, but not a password, e.g. on this
> codepath:
> {code}
> Caused by: java.security.UnrecoverableKeyException: Password verification
> failed
> at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879)
> ~[sunjce_provider.jar:1.8.0_232]
> at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_232]
> at
> org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.locateKeystore(AbstractJavaKeyStoreProvider.java:326)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:86)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.KeyStoreProvider.<init>(KeyStoreProvider.java:49)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:42)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:35)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:73)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2409)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2347)
> ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getPasswordString(AbfsConfiguration.java:295)
> ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> at
> org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getTokenProvider(AbfsConfiguration.java:525)
> ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> {code}
> Even there is a chance of reading a text file, it's not secure, we need to
> try reading a Configuration property first and if it's null, we can go to the
> environment variable.
> Hacking the System.getenv() is only possible with reflection, doesn't look so
> good.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
