You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/01/06 11:04:00 UTC

[jira] [Work logged] (HADOOP-18066) AbstractJavaKeyStoreProvider: need a way to read credential store password from Configuration

     [ https://issues.apache.org/jira/browse/HADOOP-18066?focusedWorklogId=704506&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-704506 ]

ASF GitHub Bot logged work on HADOOP-18066:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 06/Jan/22 11:03
            Start Date: 06/Jan/22 11:03
    Worklog Time Spent: 10m 
      Work Description: abstractdog opened a new pull request #3865:
URL: https://github.com/apache/hadoop/pull/3865


   
   
   Change-Id: I272dd387ecb52eccd8035661cfe35edcdb29840c
   
   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 704506)
    Remaining Estimate: 0h
            Time Spent: 10m

> AbstractJavaKeyStoreProvider: need a way to read credential store password from Configuration
> ---------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18066
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18066
>             Project: Hadoop Common
>          Issue Type: Wish
>            Reporter: László Bodor
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Codepath in focus is [this|https://github.com/apache/hadoop/blob/c3006be516ce7d4f970e24e7407b401318ceec3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java#L316]
> {code}
>       password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR,
>           conf.get(CREDENTIAL_PASSWORD_FILE_KEY));
> {code}
> Since HIVE-14822, we can use custom keystore that Hiveserver2 propagates to jobs/tasks of different execution engines (mr, tez, spark).
> We're able to pass any "jceks:" url, but not a password, e.g. on this codepath:
> {code}
> Caused by: java.security.UnrecoverableKeyException: Password verification failed
> 	at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879) ~[sunjce_provider.jar:1.8.0_232]
> 	at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_232]
> 	at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.locateKeystore(AbstractJavaKeyStoreProvider.java:326) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:86) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.KeyStoreProvider.<init>(KeyStoreProvider.java:49) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:42) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:35) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:73) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2409) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2347) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getPasswordString(AbfsConfiguration.java:295) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> 	at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getTokenProvider(AbfsConfiguration.java:525) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> {code}
> Even there is a chance of reading a text file, it's not secure, we need to try reading a Configuration property first and if it's null, we can go to the environment variable.
> Hacking the System.getenv() is only possible with reflection, doesn't look so good.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org