[
https://issues.apache.org/jira/browse/OOZIE-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Sasvari updated OOZIE-2771:
----------------------------------
Attachment: OOZIE-2771-01.patch
{{getPassword} in {{org.apache.hadoop.conf.Configuration}} class in
hadoop-common is available since Hadoop 2.6 (see
https://github.com/apache/hadoop/blob/branch-2.6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L1882)
It first tries to the JCE KS file and if it cannot retrieve the password, it
falls back to reading the cleartext password from the config file.
I did the following test:
- Generated keystore with password
{code}
HADOOP_CREDSTORE_PASSWORD=password bin/hadoop credential create
oozie.https.keystore.pass -value password -provider jceks://file/tmp/test.jceks
{code}
- added {{testConfig.set("hadoop.security.credential.provider.path",
"jceks://file/tmp/test.jceks");}} to {{TestSSLServerConnectorFactory}}
- ran test in debug mode
{{HADOOP_CREDSTORE_PASSWORD=password mvn test -Dfindbugs.skip=true
-Dmaven.surefire.debug -DjavaVersion=1.8 -DtargetVersion=1.7
-Dtest=org.apache.oozie.server.TestSSLServerConnectorFactory -Phadoop-2
-Dhadoop.version=2.6.0 -Puber;}}
- attached to the running test and verified password was being retrieved from
the config file
I don't think it would worth the effort, but if you want we can create a fully
automatic integration test for this (e.g. a test case generating the keystore
from code using the Credential Provider API, putting a masked password in the
config, and verifying it is retrieved it from the JCEKS file rather than the
config file, etc.). It would essentially just retest
{{org.apache.hadoop.conf.Configuration}} that, we know, is tested and works. We
do not do this either for {{EmailActionExecutor}} or {{JPAService}} .
> Allow retrieving keystore and truststore passwords from Hadoop Credential
> Provider
> ----------------------------------------------------------------------------------
>
> Key: OOZIE-2771
> URL: https://issues.apache.org/jira/browse/OOZIE-2771
> Project: Oozie
> Issue Type: Improvement
> Reporter: Attila Sasvari
> Assignee: Attila Sasvari
> Attachments: OOZIE-2771-01.patch
>
>
> Right now passwords for keystore and truststore
> ({{oozie.https.keystore.pass}}, {{oozie.https.truststore.pass}}) are stored
> in {{oozie-site.xml}} as cleartext.
> However, Oozie could take advantage of the Hadoop Credential Provider for
> storing and retrieving that passwords similarly how the JDBC password
> ({{oozie.service.JPAService.jdbc.password}}) is handled today (see
> https://issues.apache.org/jira/browse/OOZIE-2272).
> This way keystore and truststore passwords could be masked in oozie-site.
> Note: {{ConfigurationService.getPassword}} is worth to look at.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
