[ https://issues.apache.org/jira/browse/AMBARI-23106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16380655#comment-16380655 ]
Zsombor Gegesy commented on AMBARI-23106: ----------------------------------------- The Hadoop Credential Provider has a complex logic to determine the actual way to load the credentials. For example, if the "jceks" scheme is selected then the [JavaKeyStoreProvider|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/JavaKeyStoreProvider.java] is picked, which delegates the loading to the HDFS API, but with a different schema, so * jceks://file/home/larry/creds.jceks is mapped to a *local* file:///home/larry/creds.jceks * jceks://h...@nn1.example.com/my/creds.jceks is mapped to a file in HDFS However, the localjceks schema is handled by [LocalJavaKeyStoreProvider|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/LocalJavaKeyStoreProvider.java], which just use the java.io to read the files from the local filesystem (after removing the 'localjceks://file/' prefix), so * localjceks://file/home/larry/creds.jceks is mapped to a *local* file:///home/larry/creds.jceks As I understand - Ambari never puts these credential files into HDFS - or even if it puts, all the components are initialized, with locally accessible credential file, and the current code just prefix the filepath with "jceks://file/", inside the 'security_commons.py'. Maybe, Ambari needs to support components, where localjceks is not supported, only jceks, I don't know. As these classes are released at least in Hadoop 2.6 (maybe earlier), I assumed, that this change shouldn't break many things. > Use localjceks URL for credential provider for local files > ---------------------------------------------------------- > > Key: AMBARI-23106 > URL: https://issues.apache.org/jira/browse/AMBARI-23106 > Project: Ambari > Issue Type: Bug > Components: ambari-agent > Affects Versions: 2.6.0 > Reporter: Zsombor Gegesy > Priority: Major > Labels: pull-request-available > Time Spent: 1h > Remaining Estimate: 0h > > Ambari generates 'jceks://file/\{filepath}' as a credential provider URL, > which force using the JavaKeyStoreProvider - which uses the hdfs API to > access the local file system. > This cause problems, when the local file system access from that API is > disabled - for security reasons, for example in Oozie. Fortunately, there is > a LocalJavaKeyStoreProvider which can be used in this case, which can be > accessed with a 'localjceks://file/\{filepath}' URL -- This message was sent by Atlassian JIRA (v7.6.3#76005)