You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2018/01/04 16:57:00 UTC

[jira] [Commented] (HADOOP-15157) Zookeeper authentication related properties to support CredentialProviders

    [ https://issues.apache.org/jira/browse/HADOOP-15157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16311646#comment-16311646 ] 

Larry McCay commented on HADOOP-15157:
--------------------------------------

Hi [~grepas] - this is a good idea.
Couple comments/questions:

1. The general implementation pattern doesn't have the URIs set as the param value as far as I know - I would have expected to either use the same credential.provider.path property to have a credential store for zkAuth or to have a separate property for zkAuth credential providers path and no value set for the property itself. The latter usually only needed when the global path would be inappropriate for the usage at hand. Having to set the URI at the individual property level could lead to a proliferation of credential stores and/or difficulty in keeping redundant URIs in sync across multiple properties.
2. I am missing where you are setting the value as the credential.provider.path in conf so that conf.getPassword will find it (maybe it is there and I am just not seeing it)
3. it appears that ZKUtil.BadAuthFormatException is also thrown from getZKAuthInfos but is missing from javadoc (was previously as well)
4. credential provider docs would also need to be updated to reflect this new usage - see http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html


> Zookeeper authentication related properties to support CredentialProviders
> --------------------------------------------------------------------------
>
>                 Key: HADOOP-15157
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15157
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gergo Repas
>            Assignee: Gergo Repas
>            Priority: Minor
>         Attachments: HADOOP-15157.000.patch
>
>
> The hadoop.zk.auth and ha.zookeeper.auth properties currently support either a plain-text authentication info (in scheme:value format), or a @/path/to/file notation which points to a plain-text file.
> This ticket proposes that the value of these properties can also be CredentialProvider URI-s (such as a jceks or localjceks URI). This allows users to point to an encrypted store containing the authentication info.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org