diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
index 83eb5ad8bc9..f24009d40da 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
@@ -149,6 +149,10 @@ public class LdapGroupsMapping
public static final String BIND_PASSWORD_FILE_KEY = BIND_PASSWORD_KEY + ".file";
public static final String BIND_PASSWORD_FILE_DEFAULT = "";
+ public static final String BIND_PASSWORD_ALIAS_KEY =
+ BIND_PASSWORD_KEY + ".alias";
+ public static final String BIND_PASSWORD_ALIAS_DEFAULT = "";
+
/*
* Base distinguished name to use for searches
*/
@@ -662,12 +666,19 @@ public class LdapGroupsMapping
}
bindUser = conf.get(BIND_USER_KEY, BIND_USER_DEFAULT);
- bindPassword = getPassword(conf, BIND_PASSWORD_KEY, BIND_PASSWORD_DEFAULT);
+
+ String alias = conf.get(BIND_PASSWORD_ALIAS_KEY,
+ BIND_PASSWORD_ALIAS_DEFAULT);
+ bindPassword = getPasswordFromCredentialProviders(conf, alias, "");
if (bindPassword.isEmpty()) {
- bindPassword = extractPassword(
- conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
+ bindPassword = getPassword(conf, BIND_PASSWORD_KEY,
+ BIND_PASSWORD_DEFAULT);
+ if (bindPassword.isEmpty()) {
+ bindPassword = extractPassword(
+ conf.get(BIND_PASSWORD_FILE_KEY, BIND_PASSWORD_FILE_DEFAULT));
+ }
}
-
+
String baseDN = conf.getTrimmed(BASE_DN_KEY, BASE_DN_DEFAULT);
// User search base which defaults to base dn.
@@ -755,10 +766,10 @@ public class LdapGroupsMapping
}
String getPasswordFromCredentialProviders(
- Configuration conf, String alias, String defaultPass) {
+ Configuration config, String alias, String defaultPass) {
String password = defaultPass;
try {
- char[] passchars = conf.getPasswordFromCredentialProviders(alias);
+ char[] passchars = config.getPasswordFromCredentialProviders(alias);
if (passchars != null) {
password = new String(passchars);
}
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 28e910ba262..f7d61c6d01a 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -370,6 +370,16 @@
+
+ hadoop.security.group.mapping.ldap.bind.password.alias
+
+
+ The alias of the bind user to be used to get the password from credential
+ providers. If the alias is empty, property
+ hadoop.security.group.mapping.ldap.bind.password is used instead.
+
+
+
hadoop.security.group.mapping.ldap.bind.password.file
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
index a361d04a728..174333859ba 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
@@ -300,13 +300,53 @@ public class TestLdapGroupsMapping extends TestLdapGroupsMappingBase {
mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
Assert.assertEquals("storepass",
mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
- ""));
+ ""));
// let's make sure that a password that doesn't exist returns an
// empty string as currently expected and used to trigger a call to
// extract password
Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
}
+ @Test
+ public void testConfGetPasswordUsingAlias() throws Exception {
+ File testDir = GenericTestUtils.getTestDir();
+ Configuration conf = getBaseConf();
+ final Path jksPath = new Path(testDir.toString(), "test.jks");
+ final String ourUrl =
+ JavaKeyStoreProvider.SCHEME_NAME + "://file" + jksPath.toUri();
+
+ File file = new File(testDir, "test.jks");
+ file.delete();
+ conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+
+ // Set alias
+ String bindpassAlias = "bindpassAlias";
+ conf.set(LdapGroupsMapping.BIND_PASSWORD_ALIAS_KEY, bindpassAlias);
+
+ CredentialProvider provider =
+ CredentialProviderFactory.getProviders(conf).get(0);
+ char[] bindpass = "bindpass".toCharArray();
+
+ // Ensure that we get null when the key isn't there
+ assertNull(provider.getCredentialEntry(bindpassAlias));
+
+ // Create credential for the alias
+ provider.createCredentialEntry(bindpassAlias, bindpass);
+ provider.flush();
+
+ // Make sure we get back the right key
+ assertArrayEquals(bindpass, provider.getCredentialEntry(
+ bindpassAlias).getCredential());
+
+ LdapGroupsMapping mapping = new LdapGroupsMapping();
+ Assert.assertEquals("bindpass",
+ mapping.getPasswordFromCredentialProviders(conf, bindpassAlias, ""));
+
+ // Empty for an invalid alias
+ Assert.assertEquals("", mapping.getPasswordFromCredentialProviders(
+ conf, "invalid-alias", ""));
+ }
+
/**
* Test that if the {@link LdapGroupsMapping#CONNECTION_TIMEOUT} is set in the
* configuration, the LdapGroupsMapping connection will timeout by this value