[
https://issues.apache.org/jira/browse/HADOOP-18618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17686510#comment-17686510
]
ASF GitHub Bot commented on HADOOP-18618:
-----------------------------------------
steveloughran commented on code in PR #5352:
URL: https://github.com/apache/hadoop/pull/5352#discussion_r1101478817
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/CredentialProviderFactory.java:
##########
@@ -72,8 +72,16 @@ public abstract CredentialProvider createProvider(URI
providerName,
public static List<CredentialProvider> getProviders(Configuration conf
) throws IOException {
+ return getProviders(conf, CREDENTIAL_PROVIDER_PATH);
+ }
+
+ public static List<CredentialProvider> getProviders(Configuration conf,
Review Comment:
needs a javadoc
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java:
##########
@@ -2405,6 +2405,30 @@ public char[] getPassword(String name) throws
IOException {
return pass;
}
+ /**
+ * Get the value for a known password configuration element.
+ * In order to enable the elimination of clear text passwords in config,
+ * this method attempts to resolve the property name as an alias through
+ * the CredentialProvider API and conditionally fallsback to config. This
+ * method accept external provider property name.
+ * @param name property name
+ * @param providerKey provider property name
+ * @return password
+ * @throws IOException when error in fetching password
+ */
+ public char[] getPassword(String name, String providerKey)
Review Comment:
ok. consider this issue resolved.
##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/alias/TestCredentialProviderFactory.java:
##########
@@ -258,6 +259,51 @@ public void testLocalBCFKSProvider() {
assertEquals("Can't create keystore", exception.getMessage());
}
+ @Test
+ public void testCustomKeyProviderProperty() throws Exception {
+ Configuration conf = new Configuration();
+ final String DEFAULT_CREDENTIAL_KEY = "default.credential.key";
+ final char[] DEFAULT_CREDENTIAL_PASSWORD = { 'p', 'a', 's', 's', 'w', 'o',
+ 'r', 'd', '1', '2', '3' };
+
+ final String CUSTOM_CREDENTIAL_PROVIDER_KEY =
+ "fs.cloud.storage.account.key.provider.path";
+ final String CUSTOM_CREDENTIAL_KEY = "custom.credential.key";
+ final char[] CUSTOM_CREDENTIAL_PASSWORD = { 'c', 'u', 's', 't', 'o', 'm',
'.',
+ 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' };
+
+ // Set provider in default credential path property
+ createCredentialProviderPath(conf, "default.jks",
+ CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
+ DEFAULT_CREDENTIAL_KEY, DEFAULT_CREDENTIAL_PASSWORD);
+ // Set provider in custom credential path property
+ createCredentialProviderPath(conf, "custom.jks",
+ CUSTOM_CREDENTIAL_PROVIDER_KEY, CUSTOM_CREDENTIAL_KEY,
+ CUSTOM_CREDENTIAL_PASSWORD);
+
+ assertTrue("Password should match for default provider path",
Arrays.equals(
+ conf.getPassword(DEFAULT_CREDENTIAL_KEY),
DEFAULT_CREDENTIAL_PASSWORD));
+
+ assertTrue("Password should match for custom provider path", Arrays.equals(
+ conf.getPassword(CUSTOM_CREDENTIAL_KEY,
CUSTOM_CREDENTIAL_PROVIDER_KEY),
+ CUSTOM_CREDENTIAL_PASSWORD));
+ }
+
+ private void createCredentialProviderPath(Configuration conf, String jksName,
Review Comment:
does the file need cleaning up? if so the method should return it and a
finally{} clause in the test method delete it
> Support custom property for credential provider path
> ----------------------------------------------------
>
> Key: HADOOP-18618
> URL: https://issues.apache.org/jira/browse/HADOOP-18618
> Project: Hadoop Common
> Issue Type: Improvement
> Components: common
> Affects Versions: 3.1.3
> Reporter: Surendra Singh Lilhore
> Assignee: Surendra Singh Lilhore
> Priority: Minor
> Labels: pull-request-available
>
> Hadoop allows the configuration of a credential provider path through the
> property "{*}hadoop.security.credential.provider.path{*}", and the
> {{Configuration#getPassword()}} method retrieves the credentials from this
> provider.
> However, using common credential provider properties for components like
> Hive, HDFS, and MapReduce can cause issues when they want to configure
> separate JCEKS files for credentials. For example, the value in the
> core-site.xml property file can be overridden by the hive-site.xml property
> file. To resolve this, all components should share a common credential
> provider path and add all their credentials.
> Azure storage supports account-specific credentials, and thus the credential
> provider should permit the configuration of separate JCEKS files for each
> account, such as the property
> "{*}fs.azure.account.credential.provider.path.<account>.blob.core.windows.net{*}".
> To accommodate this, the {{Configuration#getPassword()}} method should accept
> a custom property for the credential provider path and retrieve its value.
> The current default property can be overridden to achieve this.
> {code:java}
> public char[] getPassword(String name) throws IOException {
> ......
> ......
> }
> public char[] getPassword(String name, String providerKey) throws IOException
> {
> ......
> ......
> }{code}
>
> One Example is, Ambari
> [CustomServiceOrchestrator|https://github.com/apache/ambari/blob/trunk/ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py#L312]
> service override the core-site.xml value for other component. This fix is
> very much needed for Ambari.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
