You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2014/05/16 12:52:27 UTC

[jira] [Comment Edited] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications

    [ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13998893#comment-13998893 ] 

Alejandro Abdelnur edited comment on HADOOP-10607 at 5/15/14 6:26 PM:
----------------------------------------------------------------------

I see the point of lot of baggage  in KeyStore that is not needed.

Instead adding a new interface, have you considered doing it in the KeyProvider itself? After all the credentials are a key. Then the KMS could easily add REST support for that too.


was (Author: tucu00):
I see the point of lot of luggage in KeyStore that is not needed.

Instead adding a new interface, have you considered doing it in the KeyProvider itself? After all the credentials are a key. Then the KMS could easily add REST support for that too.

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>
>         Attachments: 10607-2.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support multiple credential storage mechanisms that are potentially from third parties. 
> We need the ability to eliminate the storage of passwords and secrets in clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders. The implementation will look for implementations using the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce jobs and the other using Java KeyStores from either HDFS or local file system. 
> A CredShell CLI will also be included in this patch which provides the ability to manage the credentials within the stores.



--
This message was sent by Atlassian JIRA
(v6.2#6252)