[
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14069417#comment-14069417
]
Alejandro Abdelnur commented on HADOOP-10607:
---------------------------------------------
[~lmccay], in
[HADOOP-10791|https://issues.apache.org/jira/browse/HADOOP-10791?focusedCommentId=14053983&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14053983]
you commented:
bq. So, how does the signature get validated if it is a randomized secret? It
has to be stored somewhere, no? If the random impl eliminates storing clear
text secrets for this then we may not need the credential api impl after all.
Just to be clear, I'm not opposed to the UserCredentials API. I'm opposed to
making it part of a release and of a public Hadoop API if there is no use in
Hadoop itself. If this ends being the case, their home may be a project that
uses it.
Larry, maybe it would help if you explain the current use case for this API and
why is convenient to have it in Hadoop while not being used in Hadoop. In case
there such use case?
> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0, 2.6.0
>
> Attachments: 10607-10.patch, 10607-11.patch, 10607-12.patch,
> 10607-2.patch, 10607-3.patch, 10607-4.patch, 10607-5.patch, 10607-6.patch,
> 10607-7.patch, 10607-8.patch, 10607-9.patch, 10607-branch-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support
> multiple credential storage mechanisms that are potentially from third
> parties.
> We need the ability to eliminate the storage of passwords and secrets in
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of
> CredentialProviders. The implementation will look for implementations using
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache
> in MapReduce jobs and the other using Java KeyStores from either HDFS or
> local file system.
> A CredShell CLI will also be included in this patch which provides the
> ability to manage the credentials within the stores.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
