[
https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14069434#comment-14069434
]
Larry McCay commented on HADOOP-10607:
--------------------------------------
Sorry, I didn't mean to imply that that is the only usecase inside of hadoop
that we have requirements for. The fact is that there are a number of places
within hadoop that rely solely on file permissions being set properly. This
will meet security policy requirements for some deployments and auditors but
not for others. If there is a password/secret in clear text in a file than it
is a ding on the audit.
As I said, there are a number of specific usecases - the following are off the
top of my head:
* signing secret - as we have already mentioned above
* SSL configuration
* certain applications when run on Yarn will need to have various secrets
provided to them or pre-provisioned as part of application deployment.
So, to be clear - we have internal hadoop usage in mind as well as external
components that would pickup this functionality.
As it seems inappropriate for hadoop itself to depend on an external ecosystem
component for such a facility - I think it most appropriate for hadoop-common.
Thoughts?
> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0, 2.6.0
>
> Attachments: 10607-10.patch, 10607-11.patch, 10607-12.patch,
> 10607-2.patch, 10607-3.patch, 10607-4.patch, 10607-5.patch, 10607-6.patch,
> 10607-7.patch, 10607-8.patch, 10607-9.patch, 10607-branch-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support
> multiple credential storage mechanisms that are potentially from third
> parties.
> We need the ability to eliminate the storage of passwords and secrets in
> clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of
> CredentialProviders. The implementation will look for implementations using
> the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache
> in MapReduce jobs and the other using Java KeyStores from either HDFS or
> local file system.
> A CredShell CLI will also be included in this patch which provides the
> ability to manage the credentials within the stores.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
