You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "László Bodor (Jira)" <ji...@apache.org> on 2022/01/10 10:29:00 UTC
[jira] [Resolved] (HADOOP-18066) AbstractJavaKeyStoreProvider: need a way to read credential store password from Configuration
[ https://issues.apache.org/jira/browse/HADOOP-18066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
László Bodor resolved HADOOP-18066.
-----------------------------------
Resolution: Invalid
> AbstractJavaKeyStoreProvider: need a way to read credential store password from Configuration
> ---------------------------------------------------------------------------------------------
>
> Key: HADOOP-18066
> URL: https://issues.apache.org/jira/browse/HADOOP-18066
> Project: Hadoop Common
> Issue Type: Wish
> Components: security
> Reporter: László Bodor
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.3.2
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> Codepath in focus is [this|https://github.com/apache/hadoop/blob/c3006be516ce7d4f970e24e7407b401318ceec3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.java#L316]
> {code}
> password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR,
> conf.get(CREDENTIAL_PASSWORD_FILE_KEY));
> {code}
> Since HIVE-14822, we can use custom keystore that Hiveserver2 propagates to jobs/tasks of different execution engines (mr, tez, spark).
> We're able to pass any "jceks:" url, but not a password, e.g. on this codepath:
> {code}
> Caused by: java.security.UnrecoverableKeyException: Password verification failed
> at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879) ~[sunjce_provider.jar:1.8.0_232]
> at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_232]
> at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.locateKeystore(AbstractJavaKeyStoreProvider.java:326) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:86) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.KeyStoreProvider.<init>(KeyStoreProvider.java:49) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:42) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:35) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:73) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2409) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2347) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getPasswordString(AbfsConfiguration.java:295) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getTokenProvider(AbfsConfiguration.java:525) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
> {code}
> Even there is a chance of reading a text file, it's not secure, we need to try reading a Configuration property first and if it's null, we can go to the environment variable.
> Hacking the System.getenv() is only possible with reflection, doesn't look so good.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org