HADOOP-13441. Document LdapGroupsMapping keystore password properties. Contributed by Yuanbo Liu.

(cherry picked from commit d892ae9576)
This commit is contained in:
Wei-Chiu Chuang 2016-08-11 11:57:20 -07:00
parent 00ff3d737c
commit d4501ad0d8
8 changed files with 104 additions and 12 deletions

View File

@ -78,6 +78,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.CommonConfigurationKeys;
@ -1997,7 +1998,9 @@ public class Configuration implements Iterable<Map.Entry<String,String>>,
*/ */
protected char[] getPasswordFromConfig(String name) { protected char[] getPasswordFromConfig(String name) {
char[] pass = null; char[] pass = null;
if (getBoolean(CredentialProvider.CLEAR_TEXT_FALLBACK, true)) { if (getBoolean(CredentialProvider.CLEAR_TEXT_FALLBACK,
CommonConfigurationKeysPublic.
HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK_DEFAULT)) {
String passStr = get(name); String passStr = get(name);
if (passStr != null) { if (passStr != null) {
pass = passStr.toCharArray(); pass = passStr.toCharArray();

View File

@ -740,5 +740,31 @@ public class CommonConfigurationKeysPublic {
"hadoop.http.logs.enabled"; "hadoop.http.logs.enabled";
/** Defalt value for HADOOP_HTTP_LOGS_ENABLED */ /** Defalt value for HADOOP_HTTP_LOGS_ENABLED */
public static final boolean HADOOP_HTTP_LOGS_ENABLED_DEFAULT = true; public static final boolean HADOOP_HTTP_LOGS_ENABLED_DEFAULT = true;
/**
* @see
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
* core-default.xml</a>
*/
public static final String HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH =
"hadoop.security.credential.provider.path";
/**
* @see
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
* core-default.xml</a>
*/
public static final String HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK =
"hadoop.security.credential.clear-text-fallback";
public static final boolean
HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK_DEFAULT = true;
/**
* @see
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
* core-default.xml</a>
*/
public static final String HADOOP_SECURITY_CREDENTIAL_PASSWORD_FILE_KEY =
"hadoop.security.credstore.java-keystore-provider.password-file";
} }

View File

@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ProviderUtils; import org.apache.hadoop.security.ProviderUtils;
@ -64,7 +65,8 @@ public abstract class AbstractJavaKeyStoreProvider extends CredentialProvider {
public static final String CREDENTIAL_PASSWORD_ENV_VAR = public static final String CREDENTIAL_PASSWORD_ENV_VAR =
"HADOOP_CREDSTORE_PASSWORD"; "HADOOP_CREDSTORE_PASSWORD";
public static final String CREDENTIAL_PASSWORD_FILE_KEY = public static final String CREDENTIAL_PASSWORD_FILE_KEY =
"hadoop.security.credstore.java-keystore-provider.password-file"; CommonConfigurationKeysPublic.
HADOOP_SECURITY_CREDENTIAL_PASSWORD_FILE_KEY;
public static final String CREDENTIAL_PASSWORD_DEFAULT = "none"; public static final String CREDENTIAL_PASSWORD_DEFAULT = "none";
private Path path; private Path path;

View File

@ -23,6 +23,7 @@ import java.util.List;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
/** /**
* A provider of credentials or password for Hadoop applications. Provides an * A provider of credentials or password for Hadoop applications. Provides an
@ -33,8 +34,9 @@ import org.apache.hadoop.classification.InterfaceStability;
@InterfaceAudience.Public @InterfaceAudience.Public
@InterfaceStability.Unstable @InterfaceStability.Unstable
public abstract class CredentialProvider { public abstract class CredentialProvider {
public static final String CLEAR_TEXT_FALLBACK public static final String CLEAR_TEXT_FALLBACK =
= "hadoop.security.credential.clear-text-fallback"; CommonConfigurationKeysPublic.
HADOOP_SECURITY_CREDENTIAL_CLEAR_TEXT_FALLBACK;
/** /**
* The combination of both the alias and the actual credential value. * The combination of both the alias and the actual credential value.

View File

@ -28,6 +28,7 @@ import java.util.ServiceLoader;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
/** /**
* A factory to create a list of CredentialProvider based on the path given in a * A factory to create a list of CredentialProvider based on the path given in a
@ -38,7 +39,7 @@ import org.apache.hadoop.conf.Configuration;
@InterfaceStability.Unstable @InterfaceStability.Unstable
public abstract class CredentialProviderFactory { public abstract class CredentialProviderFactory {
public static final String CREDENTIAL_PROVIDER_PATH = public static final String CREDENTIAL_PROVIDER_PATH =
"hadoop.security.credential.provider.path"; CommonConfigurationKeysPublic.HADOOP_SECURITY_CREDENTIAL_PROVIDER_PATH;
public abstract CredentialProvider createProvider(URI providerName, public abstract CredentialProvider createProvider(URI providerName,
Configuration conf Configuration conf

View File

@ -250,10 +250,52 @@
<name>hadoop.security.group.mapping.ldap.ssl.keystore.password.file</name> <name>hadoop.security.group.mapping.ldap.ssl.keystore.password.file</name>
<value></value> <value></value>
<description> <description>
The path to a file containing the password of the LDAP SSL keystore. The path to a file containing the password of the LDAP SSL keystore. If
the password is not configured in credential providers and the property
hadoop.security.group.mapping.ldap.ssl.keystore.password is not set,
LDAPGroupsMapping reads password from the file.
IMPORTANT: This file should be readable only by the Unix user running IMPORTANT: This file should be readable only by the Unix user running
the daemons. the daemons and should be a local file.
</description>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.ssl.keystore.password</name>
<value></value>
<description>
The password of the LDAP SSL keystore. this property name is used as an
alias to get the password from credential providers. If the password can
not be found and hadoop.security.credential.clear-text-fallback is true
LDAPGroupsMapping uses the value of this property for password.
</description>
</property>
<property>
<name>hadoop.security.credential.clear-text-fallback</name>
<value>true</value>
<description>
true or false to indicate whether or not to fall back to storing credential
password as clear text. The default value is true. This property only works
when the password can't not be found from credential providers.
</description>
</property>
<property>
<name>hadoop.security.credential.provider.path</name>
<value></value>
<description>
A comma-separated list of URLs that indicates the type and
location of a list of providers that should be consulted.
</description>
</property>
<property>
<name>hadoop.security.credstore.java-keystore-provider.password-file</name>
<value></value>
<description>
The path to a file containing the custom password for all keystores
that may be configured in the provider path.
</description> </description>
</property> </property>
@ -270,10 +312,24 @@
<name>hadoop.security.group.mapping.ldap.bind.password.file</name> <name>hadoop.security.group.mapping.ldap.bind.password.file</name>
<value></value> <value></value>
<description> <description>
The path to a file containing the password of the bind user. The path to a file containing the password of the bind user. If
the password is not configured in credential providers and the property
hadoop.security.group.mapping.ldap.bind.password is not set,
LDAPGroupsMapping reads password from the file.
IMPORTANT: This file should be readable only by the Unix user running IMPORTANT: This file should be readable only by the Unix user running
the daemons. the daemons and should be a local file.
</description>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value></value>
<description>
The password of the bind user. this property name is used as an
alias to get the password from credential providers. If the password can
not be found and hadoop.security.credential.clear-text-fallback is true
LDAPGroupsMapping uses the value of this property for password.
</description> </description>
</property> </property>

View File

@ -96,7 +96,7 @@ In summary, first, provision the credentials into a provider then configure the
##### Supported Features ##### Supported Features
| Feature\Component | Description | Link | | Feature\Component | Description | Link |
|:---- |:---- |:---| |:---- |:---- |:---|
|LDAPGroupsMapping |LDAPGroupsMapping is used to look up the groups for a given user in LDAP. The CredentialProvider API is used to protect the LDAP bind password and those needed for SSL.|TODO| |LDAPGroupsMapping |LDAPGroupsMapping is used to look up the groups for a given user in LDAP. The CredentialProvider API is used to protect the LDAP bind password and those needed for SSL.|[LDAP Groups Mapping](GroupsMapping.html#LDAP_Groups_Mapping)|
|SSL Passwords |FileBasedKeyStoresFactory leverages the credential provider API in order to resolve the SSL related passwords.|TODO| |SSL Passwords |FileBasedKeyStoresFactory leverages the credential provider API in order to resolve the SSL related passwords.|TODO|
|HDFS |DFSUtil leverages Configuration.getPassword method to use the credential provider API and/or fallback to the clear text value stored in ssl-server.xml.|TODO| |HDFS |DFSUtil leverages Configuration.getPassword method to use the credential provider API and/or fallback to the clear text value stored in ssl-server.xml.|TODO|
|YARN |WebAppUtils uptakes the use of the credential provider API through the new method on Configuration called getPassword. This provides an alternative to storing the passwords in clear text within the ssl-server.xml file while maintaining backward compatibility.|TODO| |YARN |WebAppUtils uptakes the use of the credential provider API through the new method on Configuration called getPassword. This provides an alternative to storing the passwords in clear text within the ssl-server.xml file while maintaining backward compatibility.|TODO|

View File

@ -99,8 +99,10 @@ If the LDAP server supports POSIX group semantics (RFC-2307), Hadoop can perform
### SSL ### ### SSL ###
To secure the connection, the implementation supports LDAP over SSL (LDAPS). SSL is enable by setting `hadoop.security.group.mapping.ldap.ssl` to `true`. To secure the connection, the implementation supports LDAP over SSL (LDAPS). SSL is enable by setting `hadoop.security.group.mapping.ldap.ssl` to `true`.
In addition, specify the path to the keystore file for SSL connection in `hadoop.security.group.mapping.ldap.ssl.keystore` and keystore password in `hadoop.security.group.mapping.ldap.ssl.keystore.password`. In addition, specify the path to the keystore file for SSL connection in `hadoop.security.group.mapping.ldap.ssl.keystore` and keystore password in `hadoop.security.group.mapping.ldap.ssl.keystore.password`, at the same time, make sure `hadoop.security.credential.clear-text-fallback` is true.
Alternatively, store the keystore password in a file, and point `hadoop.security.group.mapping.ldap.ssl.keystore.password.file` to that file. For security purposes, this file should be readable only by the Unix user running the daemons. Alternatively, store the keystore password in a file, and point `hadoop.security.group.mapping.ldap.ssl.keystore.password.file` to that file.
For security purposes, this file should be readable only by the Unix user running the daemons, and for preventing recursive dependency, this file should be a local file.
The first approach aka using `hadoop.security.group.mapping.ldap.ssl.keystore.password` is highly discouraged because it exposes the password in the configuration file.
### Low latency group mapping resolution ### ### Low latency group mapping resolution ###
Typically, Hadoop resolves a user's group names by making two LDAP queries: the first query gets the user object, and the second query uses the user's Distinguished Name to find the groups. Typically, Hadoop resolves a user's group names by making two LDAP queries: the first query gets the user object, and the second query uses the user's Distinguished Name to find the groups.