Larry McCay commented on YARN-2373:

Hi [~vvasudev] - thanks for the review and the good questions:

bq. 1. For the null case(where the WebAppUtils.getPassword() returns null), 
should we add a warning or an audit log that someone was trying to get a 
password that was null?

There was no such log or audit record in that case before adding the additional 
check for an alias in credential provider - so I didn't add anything new for 
it. It probably would be a good idea to do so - I don't know that this change 
makes it any more necessary though. Your question raises an interesting point 
for the Configuration.getPassword implementation though. I think that it would 
make sense to log a failure to get a password if there is no provisioned alias 
and it is configured to not allow fallback to config. We don't currently do 
that - it will just return null. I think we should file a separate jira for 

bq. 2. Will you update documentation in another ticket(just to let users know 
that they can use a CredentialProvider instead of using plain text)?

We could do that. There is a jira for adding credential provider api 
documentation already are you thinking that it needs to have YARN specific 
documentation as well?

bq. Missed one more question - are you taking care of changes to ssl-client.xml 
as well?

This is a good point. I will have to track down those usages as well and file 
separate jiras.

Are any of these questions/answers blockers for this patch?

Thanks again for the review!

> WebAppUtils Should Use configuration.getPassword for Accessing SSL Passwords
> ----------------------------------------------------------------------------
>                 Key: YARN-2373
>                 URL: https://issues.apache.org/jira/browse/YARN-2373
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Larry McCay
>         Attachments: YARN-2373.patch, YARN-2373.patch, YARN-2373.patch
> As part of HADOOP-10904, this jira represents a change to WebAppUtils to 
> uptake the use of the credential provider API through the new method on 
> Configuration called getPassword.
> This provides an alternative to storing the passwords in clear text within 
> the ssl-server.xml file while maintaining backward compatibility with that 
> behavior.

This message was sent by Atlassian JIRA

Reply via email to