[
https://issues.apache.org/jira/browse/AMBARI-23106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16380655#comment-16380655
]
Zsombor Gegesy commented on AMBARI-23106:
-----------------------------------------
The Hadoop Credential Provider has a complex logic to determine the actual way
to load the credentials. For example, if the "jceks" scheme is selected then
the
[JavaKeyStoreProvider|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/JavaKeyStoreProvider.java]
is picked, which delegates the loading to the HDFS API, but with a different
schema, so
* jceks://file/home/larry/creds.jceks is mapped to a *local*
file:///home/larry/creds.jceks
* jceks://h...@nn1.example.com/my/creds.jceks is mapped to a file in HDFS
However, the localjceks schema is handled by
[LocalJavaKeyStoreProvider|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/LocalJavaKeyStoreProvider.java],
which just use the java.io to read the files from the local filesystem (after
removing the 'localjceks://file/' prefix), so
* localjceks://file/home/larry/creds.jceks is mapped to a *local*
file:///home/larry/creds.jceks
As I understand - Ambari never puts these credential files into HDFS - or even
if it puts, all the components are initialized, with locally accessible
credential file, and the current code just prefix the filepath with
"jceks://file/", inside the 'security_commons.py'.
Maybe, Ambari needs to support components, where localjceks is not supported,
only jceks, I don't know. As these classes are released at least in Hadoop 2.6
(maybe earlier), I assumed, that this change shouldn't break many things.
> Use localjceks URL for credential provider for local files
> ----------------------------------------------------------
>
> Key: AMBARI-23106
> URL: https://issues.apache.org/jira/browse/AMBARI-23106
> Project: Ambari
> Issue Type: Bug
> Components: ambari-agent
> Affects Versions: 2.6.0
> Reporter: Zsombor Gegesy
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Ambari generates 'jceks://file/\{filepath}' as a credential provider URL,
> which force using the JavaKeyStoreProvider - which uses the hdfs API to
> access the local file system.
> This cause problems, when the local file system access from that API is
> disabled - for security reasons, for example in Oozie. Fortunately, there is
> a LocalJavaKeyStoreProvider which can be used in this case, which can be
> accessed with a 'localjceks://file/\{filepath}' URL
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
