You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2014/06/02 01:04:02 UTC
[jira] [Commented] (HADOOP-10607) Create an API to Separate
Credentials/Password Storage from Applications
[ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14015116#comment-14015116 ]
Larry McCay commented on HADOOP-10607:
--------------------------------------
[~owen.omalley]
As I go to implement the ConfigurationCredentialProvider, it gets a little more weird.
What does it mean to create or delete a credential in the provider - since there isn't enough info to implement flush().
How about getAliases?
It really only makes sense as a read provider which already exists in conf.get().
I think that I am going to leave the ConfigurationCredentialProvider out for this iteration - we can always followup with another Jira.
Is that reasonable?
> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>
> Key: HADOOP-10607
> URL: https://issues.apache.org/jira/browse/HADOOP-10607
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0
>
> Attachments: 10607-2.patch, 10607-3.patch, 10607-4.patch, 10607-5.patch, 10607.patch
>
>
> As with the filesystem API, we need to provide a generic mechanism to support multiple credential storage mechanisms that are potentially from third parties.
> We need the ability to eliminate the storage of passwords and secrets in clear text within configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders. The implementation will look for implementations using the ServiceLoader interface and thus support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce jobs and the other using Java KeyStores from either HDFS or local file system.
> A CredShell CLI will also be included in this patch which provides the ability to manage the credentials within the stores.
--
This message was sent by Atlassian JIRA
(v6.2#6252)