You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2015/06/13 01:34:00 UTC
[jira] [Commented] (OOZIE-2272) Use Hadoop's CredentialProvider for
passwords in oozie-site
[ https://issues.apache.org/jira/browse/OOZIE-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14584260#comment-14584260 ]
Robert Kanter commented on OOZIE-2272:
--------------------------------------
If anybody is interested in trying it out, here's how I tested it:
The {{CredentialProvider}} can have different providers, but I tried it out with the jceks one that's built-in. Here's the steps I did to create the encrypted file:
{noformat}
$ export HADOOP_CREDSTORE_PASSWORD=mypassword
$ hadoop credential create oozie.service.jpaservice.jdbc.password -provider jceks://file/tmp/oozie.jceks
Enter password: <-- I entered 'mypassword'
Enter password again: <-- I entered 'mypassword'
oozie.service.jpaservice.jdbc.password has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
{noformat}
I then verified that the file had the right stuff in it:
{noformat}
$ keytool -list -keystore /tmp/oozie.jceks -storetype jceks -storepass mypassword -v
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
Alias name: oozie.service.jpaservice.jdbc.password
Creation date: Jun 12, 2015
Entry type: SecretKeyEntry
*******************************************
*******************************************
{noformat}
To make Oozie use it, I set these configs in oozie-site:
{noformat}
<property>
<name>oozie.service.JPAService.jdbc.password</name>
<value>*****</value>
</property>
<property>
<name>hadoop.security.credential.provider.path</name>
<value>jceks://file/tmp/oozie.jceks</value>
</property>
{noformat}
And this env var in oozie-env.sh:
{noformat}
HADOOP_CREDSTORE_PASSWORD=mypassword
{noformat}
I didn't try it with the email password (I don't have an SMTP server available), but you'd just add a second alias, named {{oozie.email.smtp.password}}, to the jceks file. The code is the same.
> Use Hadoop's CredentialProvider for passwords in oozie-site
> -----------------------------------------------------------
>
> Key: OOZIE-2272
> URL: https://issues.apache.org/jira/browse/OOZIE-2272
> Project: Oozie
> Issue Type: Improvement
> Components: security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Attachments: OOZIE-2272.001.patch
>
>
> We have a few passwords in oozie-site:
> - {{oozie.email.smtp.password}}
> - {{oozie.service.JPAService.jdbc.password}}
> It would be good if we supported Hadoop's {{CredentialProvider}} so that the passwords can be specified in an external encrypted file. The file can be prepared as described [here|http://hadoop.apache.org/docs/r2.7.0/hadoop-project-dist/hadoop-common/CommandsManual.html#credential] in the Hadoop docs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)