[jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications

Tue, 27 May 2014 15:22:31 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14010422#comment-14010422
 ] 

Larry McCay commented on HADOOP-10607:
--------------------------------------

So, you are suggesting that we have a backward compatibility provider that 
always returns the provided alias name as the credential value? In otherwords, 
it is a clear text provider.

I think that I have 2 issues with that:

1. If there are well known alias/credential pairs that are in the credential 
store that don't have configuration elements that they will also just return 
the provided name as the value?
2. There would never be a valid usecase where one configuration element is 
backward compatible clear text and another is an alias that must be resolved? 
Being able to incrementally change them or to be able to test in development 
when adding something new seems valuable.

Essentially, it is a pretty big switch to throw - all or nothing.

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>
>         Attachments: 10607-2.patch, 10607-3.patch, 10607-4.patch, 
> 10607-5.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support 
> multiple credential storage mechanisms that are potentially from third 
> parties. 
> We need the ability to eliminate the storage of passwords and secrets in 
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of 
> CredentialProviders. The implementation will look for implementations using 
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache 
> in MapReduce jobs and the other using Java KeyStores from either HDFS or 
> local file system. 
> A CredShell CLI will also be included in this patch which provides the 
> ability to manage the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to