Bug in SSLFactory to use CredentialProvider API?

Thu, 12 Jan 2017 23:36:00 -0800 

Hi gurus,

I am testing CredentialProvider with KMS: populated the credentials file,
added
"hadoop.security.credential.provider.path" to core-site.xml, but "hadoop
key list" failed due to incorrect password. So I added
"hadoop.security.credential.provider.path" to ssl-client.xml, "hadoop key
list" worked! Really strange.

In the SSLFactory constructor, a new Configuration "sslConf" that only
reads "ssl-client.xml" or "ssl-server.xml" is passed to
FileBasedKeyStoresFactory which calls Configuration.getPassword() to
initialize, but "sslConf" does not contain the property
"hadoop.security.credential.provider.path" because it is usually added to
"core-site.xml" or component site xml. Is this a known bug? JIRA is down :(
 Did I miss something?

  public SSLFactory(Mode mode, Configuration conf) {
>     ...
>     Configuration sslConf = readSSLConfiguration(mode);
>     Class<? extends KeyStoresFactory> klass
>       = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
>                       FileBasedKeyStoresFactory.class,
> KeyStoresFactory.class);
>     keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);


Backtrace for "hadoop key list":
* getProviders:76, CredentialProviderFactory
{org.apache.hadoop.security.alias}
* getPasswordFromCredentialProviders:2048, Configuration
{org.apache.hadoop.conf}
* getPassword:2027, Configuration {org.apache.hadoop.conf}
* getPassword:240, FileBasedKeyStoresFactory
{org.apache.hadoop.security.ssl}
* init:203, FileBasedKeyStoresFactory {org.apache.hadoop.security.ssl}
* init:187, SSLFactory {org.apache.hadoop.security.ssl}
* :442, KMSClientProvider {org.apache.hadoop.crypto.key.kms}
* createProvider:350, KMSClientProvider$Factory
{org.apache.hadoop.crypto.key.kms}
* createProvider:341, KMSClientProvider$Factory
{org.apache.hadoop.crypto.key.kms}
* get:96, KeyProviderFactory {org.apache.hadoop.crypto.key}
* getProviders:68, KeyProviderFactory {org.apache.hadoop.crypto.key}
* getKeyProvider:181, KeyShell$Command {org.apache.hadoop.crypto.key}
* validate:230, KeyShell$ListCommand {org.apache.hadoop.crypto.key}
* run:71, CommandShell {org.apache.hadoop.tools}
* run:76, ToolRunner {org.apache.hadoop.util}
* main:478, KeyShell {org.apache.hadoop.crypto.key}

SSLFactory is created by:
* LogLevel
* Fetcher
* KMSClientProvider (used by "hadoop key" command)
* URLConnectionFactory
* ShuffleHandler
* TimelineClientImpl
* DatanodeHttpServer
So many commands or servers may be affected if this is a real issue.

Thanks,
John Zhuge
Software Engineer, Cloudera

Reply via email to