[
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079519#comment-14079519
]
Larry McCay commented on HADOOP-10607:
--------------------------------------
Thanks for the additional examples, [[email protected]].
[~tucu00] - we have provided examples of where it will be used in hadoop core
already.
The HADOOP-10791 jira may or may not make it easier to provide an
implementation that doesn't store the secret in clear text anywhere. If this is
provided in an acceptable way without the credential provider then we may not
need it there. Otherwise, we may truly need to uptake it in hadoop auth. We
need to determine whether random secrets kept only in memory are acceptable for
eliminating the storage of clear text secrets. As you pointed out on 10791, we
may need to find a way to uptake either the credential provider or key provider
API without pulling in burdensome dependencies.
In the meantime, I will also be looking at addressing the SSL configuration
that currently stores clear text passwords and other places.
> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0, 2.6.0
>
> Attachments: 10607-10.patch, 10607-11.patch, 10607-12.patch,
> 10607-2.patch, 10607-3.patch, 10607-4.patch, 10607-5.patch, 10607-6.patch,
> 10607-7.patch, 10607-8.patch, 10607-9.patch, 10607-branch-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support
> multiple credential storage mechanisms that are potentially from third
> parties.
> We need the ability to eliminate the storage of passwords and secrets in
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of
> CredentialProviders. The implementation will look for implementations using
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache
> in MapReduce jobs and the other using Java KeyStores from either HDFS or
> local file system.
> A CredShell CLI will also be included in this patch which provides the
> ability to manage the credentials within the stores.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
