[
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated HADOOP-10607:
---------------------------------
Description:
As with the filesystem API, we need to provide a generic mechanism to support
multiple credential storage mechanisms that are potentially from third parties.
We need the ability to eliminate the storage of passwords and secrets in clear
text within configuration files or within code.
Toward that end, I propose an API that is configured using a list of URLs of
CredentialProviders. The implementation will look for implementations using the
ServiceLoader interface and thus support third party libraries.
Two providers will be included in this patch. One using the credentials cache
in MapReduce jobs and the other using Java KeyStores from either HDFS or local
file system.
was:
As with the filesystem API, we need to provide a generic mechanism to support
multiple key storage mechanisms that are potentially from third parties.
An additional requirement for long term data lakes is to keep multiple versions
of each key so that keys can be rolled periodically without requiring the
entire data set to be re-written. Rolling keys provides containment in the
event of keys being leaked.
Toward that end, I propose an API that is configured using a list of URLs of
KeyProviders. The implementation will look for implementations using the
ServiceLoader interface and thus support third party libraries.
Two providers will be included in this patch. One using the credentials cache
in MapReduce jobs and the other using Java KeyStores from either HDFS or local
file system.
> Create an API to separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Larry McCay
> Assignee: Owen O'Malley
> Fix For: 3.0.0
>
>
> As with the filesystem API, we need to provide a generic mechanism to support
> multiple credential storage mechanisms that are potentially from third
> parties.
> We need the ability to eliminate the storage of passwords and secrets in
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of
> CredentialProviders. The implementation will look for implementations using
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache
> in MapReduce jobs and the other using Java KeyStores from either HDFS or
> local file system.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
