You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Attila Sasvari (JIRA)" <ji...@apache.org> on 2017/01/12 09:33:52 UTC
[jira] [Issue Comment Deleted] (OOZIE-2771) Allow retrieving
keystore and truststore passwords from Hadoop Credential Provider
[ https://issues.apache.org/jira/browse/OOZIE-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Attila Sasvari updated OOZIE-2771:
----------------------------------
Comment: was deleted
(was: {{getPassword} in {{org.apache.hadoop.conf.Configuration}} class in hadoop-common is available since Hadoop 2.6 (see https://github.com/apache/hadoop/blob/branch-2.6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L1882)
It first tries to the JCE KS file and if it cannot retrieve the password, it falls back to reading the cleartext password from the config file.
I did the following test:
- Generated keystore with password
{code}
HADOOP_CREDSTORE_PASSWORD=password bin/hadoop credential create oozie.https.keystore.pass -value password -provider jceks://file/tmp/test.jceks
{code}
- added {{testConfig.set("hadoop.security.credential.provider.path", "jceks://file/tmp/test.jceks");}} to {{TestSSLServerConnectorFactory}}
- ran test in debug mode
{{HADOOP_CREDSTORE_PASSWORD=password mvn test -Dfindbugs.skip=true -Dmaven.surefire.debug -DjavaVersion=1.8 -DtargetVersion=1.7 -Dtest=org.apache.oozie.server.TestSSLServerConnectorFactory -Phadoop-2 -Dhadoop.version=2.6.0 -Puber;}}
- attached to the running test and verified password was being retrieved from the config file
I don't think it would worth the effort, but if you want we can create a fully automatic integration test for this (e.g. a test case generating the keystore from code using the Credential Provider API, putting a masked password in the config, and verifying it is retrieved it from the JCEKS file rather than the config file, etc.). It would essentially just retest {{org.apache.hadoop.conf.Configuration}} that, we know, is tested and works. We do not do this either for {{EmailActionExecutor}} or {{JPAService}} .)
> Allow retrieving keystore and truststore passwords from Hadoop Credential Provider
> ----------------------------------------------------------------------------------
>
> Key: OOZIE-2771
> URL: https://issues.apache.org/jira/browse/OOZIE-2771
> Project: Oozie
> Issue Type: Improvement
> Reporter: Attila Sasvari
> Assignee: Attila Sasvari
> Attachments: OOZIE-2771-01.patch
>
>
> Right now passwords for keystore and truststore ({{oozie.https.keystore.pass}}, {{oozie.https.truststore.pass}}) are stored in {{oozie-site.xml}} as cleartext.
> However, Oozie could take advantage of the Hadoop Credential Provider for storing and retrieving that passwords similarly how the JDBC password ({{oozie.service.JPAService.jdbc.password}}) is handled today (see https://issues.apache.org/jira/browse/OOZIE-2272).
> This way keystore and truststore passwords could be masked in oozie-site.
> Note: {{ConfigurationService.getPassword}} is worth to look at.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)