[jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications

Thu, 15 May 2014 16:44:19 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13998452#comment-13998452
 ] 

Larry McCay commented on HADOOP-10607:
--------------------------------------

Yes, this is true - though the KeyStore API contains a lot of stuff unrelated 
to what we actually need.
It is a perfectly valid implementation to plug in as a provider type but 
forcing the API on all stores seems unnecessary.

SafeNet and RSA do not limit their offerings to the KeyStore API - they do 
provide it as a way to plugin for those that would like to use that as the 
integration and would be able to plugin with the JavaKeystoreProvider in this 
API.

Others however offer REST APIs for acquiring secrets and having to wrap that 
access in a KeyStore implementation just doesn't feel right. Especially when 
you would have to stub out the unnecessary methods.

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>
>         Attachments: 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support 
> multiple credential storage mechanisms that are potentially from third 
> parties. 
> We need the ability to eliminate the storage of passwords and secrets in 
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of 
> CredentialProviders. The implementation will look for implementations using 
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache 
> in MapReduce jobs and the other using Java KeyStores from either HDFS or 
> local file system. 
> A CredShell CLI will also be included in this patch which provides the 
> ability to manage the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to