[
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14011679#comment-14011679
]
Larry McCay commented on HADOOP-10607:
--------------------------------------
Okay let's summarize an approach here...
If we have a ConfigurationCredentialProvider that simply looks for the
credential in configuration then:
* this can be the default provider which will allow for passwords in clear text
and work out of the box
* we can place a real credential provider in front of it in the provider path
and allow for password aliases to be resolved and then fall back to
Configuration
If we add a new method to Configuration - getPassword(String name) then:
* we essentially extend the configuration file to include the credentials
available through the provider API
* we will leverage the CredentialProvider API to get the password whether it be
in a store or in the configuration file without the consuming code or even the
Configuration code knowing where it comes from
If we leverage the existing configuration property names as the aliases into
the credential store then:
* we can simply remove the password config elements from files when not in
clear text or
* add a value of ALIASED or something that indicates that the value is
elsewhere (in case the property is mandatory for some elements)
Is this accurate?
> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0
>
> Attachments: 10607-2.patch, 10607-3.patch, 10607-4.patch,
> 10607-5.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support
> multiple credential storage mechanisms that are potentially from third
> parties.
> We need the ability to eliminate the storage of passwords and secrets in
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of
> CredentialProviders. The implementation will look for implementations using
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache
> in MapReduce jobs and the other using Java KeyStores from either HDFS or
> local file system.
> A CredShell CLI will also be included in this patch which provides the
> ability to manage the credentials within the stores.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
