diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 194b4be534a..3bf9d4baf5c 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -528,6 +528,8 @@ Release 2.6.0 - UNRELEASED HADOOP-10868. AuthenticationFilter should support externalizing the secret for signing and provide rotation support. (rkanter via tucu) + HADOOP-10922. User documentation for CredentialShell. (Larry McCay via wang) + OPTIMIZATIONS HADOOP-10838. Byte array native checksumming. (James Thomas via todd) diff --git a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm index dd4eb0a3f6a..a03dd030ca3 100644 --- a/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm +++ b/hadoop-common-project/hadoop-common/src/site/apt/CommandsManual.apt.vm @@ -85,6 +85,59 @@ User Commands {{{../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/HadoopArchives.html} Hadoop Archives Guide}}. +* <<>> + + Command to manage credentials, passwords and secrets within credential providers. + + The CredentialProvider API in Hadoop allows for the separation of applications + and how they store their required passwords/secrets. In order to indicate + a particular provider type and location, the user must provide the + configuration element in core-site.xml + or use the command line option <<<-provider>>> on each of the following commands. + This provider path is a comma-separated list of URLs that indicates the type and + location of a list of providers that should be consulted. + For example, the following path: + + <<>> + + indicates that the current user's credentials file should be consulted through + the User Provider, that the local file located at <<>> is a Java Keystore + Provider and that the file located within HDFS at <<>> + is also a store for a Java Keystore Provider. + + When utilizing the credential command it will often be for provisioning a password + or secret to a particular credential store provider. In order to explicitly + indicate which provider store to use the <<<-provider>>> option should be used. Otherwise, + given a path of multiple providers, the first non-transient provider will be used. + This may or may not be the one that you intended. + + Example: <<<-provider jceks://file/tmp/test.jceks>>> + + Usage: << [options]>>> + +*-------------------+-------------------------------------------------------+ +||COMMAND_OPTION || Description +*-------------------+-------------------------------------------------------+ +| create [-v ][-provider ]| Prompts the user for + | a credential to be stored as the given alias when a value + | is not provided via <<<-v>>>. The + | within the + | core-site.xml file will be used unless a <<<-provider>>> is + | indicated. +*-------------------+-------------------------------------------------------+ +| delete [-i][-provider ] | Deletes the credential with + | the provided alias and optionally warns the user when + | <<<--interactive>>> is used. + | The within the + | core-site.xml file will be used unless a <<<-provider>>> is + | indicated. +*-------------------+-------------------------------------------------------+ +| list [-provider ] | Lists all of the credential aliases + | The within the + | core-site.xml file will be used unless a <<<-provider>>> is + | indicated. +*-------------------+-------------------------------------------------------+ + * <<>> Copy file or directories recursively. More information can be found at