[jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications

Thu, 15 May 2014 15:46:20 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13997861#comment-13997861
 ] 

Larry McCay commented on HADOOP-10607:
--------------------------------------

Hi [~tucu00] - I considered this for some time and came to the following 
conclusions:

1. they serve similar but different purposes and consumers
2. there is no need for versioning for credentials
3. they need to be able to evolve separately
4. they should be able to converge on some shared code for the pluggable 
providers
5. not all KeyProviders can be used as credential providers
6. credential providers need not add the baggage of the metadata associated 
with keys
7. we do need to make sure that KeyProviders can be plugged in as 
CredentialProviders for when they can serve both purposes

The biggest driver for reusing the KeyProvider API in my mind was #7 and we can 
address that with an adapter for when a particular KeyProvider would fit well 
as a credential provider as well.

What do you think?

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>
>         Attachments: 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support 
> multiple credential storage mechanisms that are potentially from third 
> parties. 
> We need the ability to eliminate the storage of passwords and secrets in 
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of 
> CredentialProviders. The implementation will look for implementations using 
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache 
> in MapReduce jobs and the other using Java KeyStores from either HDFS or 
> local file system. 
> A CredShell CLI will also be included in this patch which provides the 
> ability to manage the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to