You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Yan (JIRA)" <ji...@apache.org> on 2017/04/17 17:37:41 UTC
[jira] [Commented] (HADOOP-14063) Hadoop CredentialProvider fails
to load list of keystore files
[ https://issues.apache.org/jira/browse/HADOOP-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971383#comment-15971383 ]
Yan commented on HADOOP-14063:
------------------------------
The patch breaks the semantics of the keystoreExists() method, including the exception thrown. Potentially it could break existing callers of the method.
A proper fix, IMHO, could be to 1) carefully differentiate specific permission issues that need to be addressed for the capability of traversing multiple keystore files, probably with addition of some, probably configurable, limitation of the length of the allowed permission denials to prevent potential hacking attempts; 2) check whether the keyStoreExists() call could provide such differentiations; 3) if not, enhance AbstractJavaKeyStoreProvider, probably plus its subclasses, with a method that can provide this differentiation; 4) enhance the caller of the KeyStoreProvider dealing with the multiple keystore files to improve the logic so as to be able to proceed to the next keystore after detecting some exceptions; and/or provide a new method/subclass in/to the KeyStoreProvider class, to properly handle the multiple keystore files.
In summary, we should try to fix the problem at the caller side as much as possible, and not change the semantics of existing methods which would have much wider impact.
> Hadoop CredentialProvider fails to load list of keystore files
> --------------------------------------------------------------
>
> Key: HADOOP-14063
> URL: https://issues.apache.org/jira/browse/HADOOP-14063
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: ramtin
> Assignee: ramtin
> Attachments: HADOOP-14063-001.patch, HADOOP-14063-002.patch
>
>
> The {{hadoop.security.credential.provider.path}} property can be a list of keystore files like this:
> _jceks://hdfs/file1.jceks,jceks://hdfs/file2.jceks,jceks://hdfs/file3.jceks ..._
> Each file can have different permissions set to limit the users that have access to the keys. Some users may not have access to all the keystore files.
> Each keystore file in the list should be tried until one is found with the key needed.
> Currently it will throw an exception if one of the keystore files cannot be loaded instead of continuing to try the next one in the list.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org