You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2015/06/13 01:34:00 UTC

[jira] [Commented] (OOZIE-2272) Use Hadoop's CredentialProvider for passwords in oozie-site

    [ https://issues.apache.org/jira/browse/OOZIE-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14584260#comment-14584260 ] 

Robert Kanter commented on OOZIE-2272:
--------------------------------------

If anybody is interested in trying it out, here's how I tested it:

The {{CredentialProvider}} can have different providers, but I tried it out with the jceks one that's built-in.  Here's the steps I did to create the encrypted file:
{noformat}
$ export HADOOP_CREDSTORE_PASSWORD=mypassword
$ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://file/tmp/oozie.jceks
Enter password:            <-- I entered 'mypassword'
Enter password again:      <-- I entered 'mypassword'
oozie.service.jpaservice.jdbc.password has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
{noformat}
I then verified that the file had the right stuff in it:
{noformat}
$ keytool -list -keystore /tmp/oozie.jceks -storetype jceks -storepass mypassword -v

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 1 entry

Alias name: oozie.service.jpaservice.jdbc.password
Creation date: Jun 12, 2015
Entry type: SecretKeyEntry


*******************************************
*******************************************

{noformat}
To make Oozie use it, I set these configs in oozie-site:
{noformat}
  <property>
    <name>oozie.service.JPAService.jdbc.password</name>
    <value>*****</value>
  </property>
  <property>
    <name>hadoop.security.credential.provider.path</name>
    <value>jceks://file/tmp/oozie.jceks</value>
  </property>
{noformat}
And this env var in oozie-env.sh:
{noformat}
HADOOP_CREDSTORE_PASSWORD=mypassword
{noformat}

I didn't try it with the email password (I don't have an SMTP server available), but you'd just add a second alias, named {{oozie.email.smtp.password}}, to the jceks file.  The code is the same.

> Use Hadoop's CredentialProvider for passwords in oozie-site
> -----------------------------------------------------------
>
>                 Key: OOZIE-2272
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2272
>             Project: Oozie
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: OOZIE-2272.001.patch
>
>
> We have a few passwords in oozie-site:
> - {{oozie.email.smtp.password}}
> - {{oozie.service.JPAService.jdbc.password}}
> It would be good if we supported Hadoop's {{CredentialProvider}} so that the passwords can be specified in an external encrypted file.  The file can be prepared as described [here|http://hadoop.apache.org/docs/r2.7.0/hadoop-project-dist/hadoop-common/CommandsManual.html#credential] in the Hadoop docs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)