[jira] [Commented] (HADOOP-12846) Credential Provider Recursive Dependencies

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15169716#comment-15169716
 ] 

Larry McCay commented on HADOOP-12846:
--------------------------------------

Given a configuration (command line) such as -D 
hadoop.security.credential.provider.path=jceks://wasb/user/hrt_qa/sqoopdbpasswd.jceks
 this would result in a infinite loop. With a call to 
ProviderUtils.excludeCredentialProviderTypes(",?jceks://wasb.*,?") this would 
result in a new configuration object that had no providers in it and therefore 
no incompatibility at the integration point that looks up access keys. It would 
therefore avoid the infinite loop.

I will have a patch available at some point later today or this evening.

> Credential Provider Recursive Dependencies
> ------------------------------------------
>
>                 Key: HADOOP-12846
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12846
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>
> There are a few credential provider integration points in which the use of a 
> certain type of provider in a certain filesystem causes a recursive infinite 
> loop. 
> For instance, a component such as sqoop can be protecting a db password in a 
> credential provider within the wasb/azure filesystem. Now that HADOOP-12555 
> has introduced the ability to protect the access keys for wasb we suddenly 
> need access to wasb to get the database keys which initiates the attempt to 
> get the access keys from wasb - since there is a provider path configured for 
> sqoop.
> For such integrations, those in which it doesn't make sense to protect the 
> access keys inside the thing that we need the keys to access, we need a 
> solution to avoid this recursion - other than dictating what filesystems can 
> be used by other components.
> This patch proposes the ability to scrub the configured provider path of any 
> provider types that would be incompatible with the integration point. In 
> other words, before calling Configuration.getPassword for the access keys to 
> wasb, we can remove any configured providers that require access to wasb.
> This will require some regex expressions that can be used to identify the 
> configuration of such provider uri's within the provider path parameter.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)