[ https://issues.apache.org/jira/browse/HADOOP-9534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Larry McCay updated HADOOP-9534: -------------------------------- Attachment: HADOOP-9534.patch Latest patch revision. > Credential Management Framework (CMF) > ------------------------------------- > > Key: HADOOP-9534 > URL: https://issues.apache.org/jira/browse/HADOOP-9534 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Affects Versions: 3.0.0 > Reporter: Larry McCay > Labels: patch > Attachments: > 0001-HADOOP-9534-Credential-Management-Framework-initial-.patch, > 0002-HADOOP-9534-Credential-Management-Framework-second-iteration-.patch, > HADOOP-9534.patch, HADOOP-9534.patch > > Original Estimate: 504h > Remaining Estimate: 504h > > The credential management framework consists of library for securing, > acquiring and rolling credentials for a given Hadoop service. > Specifically the library will provide: > 1. Password Indirection or Aliasing > 2. Management of identity and trust keystores > 3. Rolling of key pairs and credentials > 4. Discovery of externally provisioned credentials > 5. Service specific CMF secret protection > 6. Syntax for Aliases within configuration files > Password Indirection or Aliasing: > By providing alias based access to actual secrets stored within a service > specific JCEKS keystore, we are able to eliminate the need for any secret to > be stored in clear text on the filesystem. This is a current redflag during > security reviews for many customers. > Management of Identity and Trust Keystores: > Service specific identity and trust keystores will be managed by a > combination of the HSSO service and CMF. > Upon registration with the HSSO service a dependent service will be able > discover externally provisioned keystores or have them created by the HSSO > service on its behalf. The public key of the HSSO service will be provided to > the service to be imported into its service specific trust store. > Service specific keystores and credential stores will be protected with the > service specific CMF secret. > Rolling of Keypairs and Credentials: > The ability to automate the rolling of PKI keypairs and credentials provide > the services a common facility for discovering new HSSO public keys and the > need and means to roll their own credentials while being able to retain a > number of previous values (as needed). > Discovery of Externally Provisioned Credentials: > For environments that want control over the certificate generation and > provisioning, CMF provides the ability to discover preprovisioned artifacts > based on naming conventions of the artifacts and the use of the service > specific CMF secret to access the credentials within the keystores. > Service Specific CMF Secret Protection: > By providing a common facility to prompt for and optionally persist a service > specific CMF secret at service installation/startup, we enable the ability to > protect all the service specific security artifacts with this protected > secret. It is protected with a combination of AES 128 bit encryption and file > permissions set for only the service specific OS user. > Syntax for Aliases within configuration files: > In order to facilitate the use of aliases but also preserve backward > compatibility of config files, we will introduce a syntax for marking a value > in a configuration file as an alias. A getSecret(String value) type utility > method will encapsulate the recognition and parsing of an alias and the > retrieval from CMF or return the provided value as the password. > For instance, if a properties file were to require a password to be provided > instead of: > passwd=supersecret > we would provide an alias as such: > passwd=${ALIAS=supersecret} > At runtime, the value from the properties file is provided to the > CMF.getSecret(value) method and it either resolves the alias (where it finds > the alias syntax) or returns the value (when there is no alias syntax). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira