hadoop/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html

834 lines
53 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
| Generated by Apache Maven Doxia at 2023-03-08
| Rendered using Apache Maven Stylus Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Apache Hadoop 3.4.0-SNAPSHOT &#x2013; CredentialProvider API Guide</title>
<style type="text/css" media="all">
@import url("./css/maven-base.css");
@import url("./css/maven-theme.css");
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
<meta name="Date-Revision-yyyymmdd" content="20230308" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body class="composite">
<div id="banner">
<a href="http://hadoop.apache.org/" id="bannerLeft">
<img src="http://hadoop.apache.org/images/hadoop-logo.jpg" alt="" />
</a>
<a href="http://www.apache.org/" id="bannerRight">
<img src="http://www.apache.org/images/asf_logo_wide.png" alt="" />
</a>
<div class="clear">
<hr/>
</div>
</div>
<div id="breadcrumbs">
<div class="xright"> <a href="http://wiki.apache.org/hadoop" class="externalLink">Wiki</a>
|
<a href="https://gitbox.apache.org/repos/asf/hadoop.git" class="externalLink">git</a>
|
<a href="http://hadoop.apache.org/" class="externalLink">Apache Hadoop</a>
&nbsp;| Last Published: 2023-03-08
&nbsp;| Version: 3.4.0-SNAPSHOT
</div>
<div class="clear">
<hr/>
</div>
</div>
<div id="leftColumn">
<div id="navcolumn">
<h5>General</h5>
<ul>
<li class="none">
<a href="../../index.html">Overview</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/SingleCluster.html">Single Node Setup</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/ClusterSetup.html">Cluster Setup</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/CommandsManual.html">Commands Reference</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/FileSystemShell.html">FileSystem Shell</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/Compatibility.html">Compatibility Specification</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/DownstreamDev.html">Downstream Developer's Guide</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/AdminCompatibilityGuide.html">Admin Compatibility Guide</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/InterfaceClassification.html">Interface Classification</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/filesystem/index.html">FileSystem Specification</a>
</li>
</ul>
<h5>Common</h5>
<ul>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/CLIMiniCluster.html">CLI Mini Cluster</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/FairCallQueue.html">Fair Call Queue</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/NativeLibraries.html">Native Libraries</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/Superusers.html">Proxy User</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/RackAwareness.html">Rack Awareness</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/SecureMode.html">Secure Mode</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/ServiceLevelAuth.html">Service Level Authorization</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/HttpAuthentication.html">HTTP Authentication</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/CredentialProviderAPI.html">Credential Provider API</a>
</li>
<li class="none">
<a href="../../hadoop-kms/index.html">Hadoop KMS</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/Tracing.html">Tracing</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/UnixShellGuide.html">Unix Shell Guide</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/registry/index.html">Registry</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/AsyncProfilerServlet.html">Async Profiler</a>
</li>
</ul>
<h5>HDFS</h5>
<ul>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsDesign.html">Architecture</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html">User Guide</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HDFSCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html">NameNode HA With QJM</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html">NameNode HA With NFS</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ObserverNameNode.html">Observer NameNode</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/Federation.html">Federation</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ViewFs.html">ViewFs</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ViewFsOverloadScheme.html">ViewFsOverloadScheme</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsSnapshots.html">Snapshots</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsEditsViewer.html">Edits Viewer</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsImageViewer.html">Image Viewer</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html">Permissions and HDFS</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsQuotaAdminGuide.html">Quotas and HDFS</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/LibHdfs.html">libhdfs (C API)</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/WebHDFS.html">WebHDFS (REST API)</a>
</li>
<li class="none">
<a href="../../hadoop-hdfs-httpfs/index.html">HttpFS</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ShortCircuitLocalReads.html">Short Circuit Local Reads</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/CentralizedCacheManagement.html">Centralized Cache Management</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html">NFS Gateway</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsRollingUpgrade.html">Rolling Upgrade</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ExtendedAttributes.html">Extended Attributes</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html">Transparent Encryption</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsMultihoming.html">Multihoming</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/ArchivalStorage.html">Storage Policies</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/MemoryStorage.html">Memory Storage Support</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/SLGUserGuide.html">Synthetic Load Generator</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HDFSErasureCoding.html">Erasure Coding</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HDFSDiskbalancer.html">Disk Balancer</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsUpgradeDomain.html">Upgrade Domain</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsDataNodeAdminGuide.html">DataNode Admin</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs-rbf/HDFSRouterFederation.html">Router Federation</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/HdfsProvidedStorage.html">Provided Storage</a>
</li>
</ul>
<h5>MapReduce</h5>
<ul>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html">Tutorial</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduce_Compatibility_Hadoop1_Hadoop2.html">Compatibility with 1.x</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/EncryptedShuffle.html">Encrypted Shuffle</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/PluggableShuffleAndPluggableSort.html">Pluggable Shuffle/Sort</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/DistributedCacheDeploy.html">Distributed Cache Deploy</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/SharedCacheSupport.html">Support for YARN Shared Cache</a>
</li>
</ul>
<h5>MapReduce REST APIs</h5>
<ul>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapredAppMasterRest.html">MR Application Master</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-hs/HistoryServerRest.html">MR History Server</a>
</li>
</ul>
<h5>YARN</h5>
<ul>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/YARN.html">Architecture</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/YarnCommands.html">Commands Reference</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html">Capacity Scheduler</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/FairScheduler.html">Fair Scheduler</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/ResourceManagerRestart.html">ResourceManager Restart</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/ResourceManagerHA.html">ResourceManager HA</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/ResourceModel.html">Resource Model</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/NodeLabel.html">Node Labels</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/NodeAttributes.html">Node Attributes</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/WebApplicationProxy.html">Web Application Proxy</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/TimelineServer.html">Timeline Server</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/TimelineServiceV2.html">Timeline Service V.2</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/WritingYarnApplications.html">Writing YARN Applications</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html">YARN Application Security</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/NodeManager.html">NodeManager</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/DockerContainers.html">Running Applications in Docker Containers</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/RuncContainers.html">Running Applications in runC Containers</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/NodeManagerCgroups.html">Using CGroups</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/SecureContainer.html">Secure Containers</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/ReservationSystem.html">Reservation System</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/GracefulDecommission.html">Graceful Decommission</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/OpportunisticContainers.html">Opportunistic Containers</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/Federation.html">YARN Federation</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/SharedCache.html">Shared Cache</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/UsingGpus.html">Using GPU</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/UsingFPGA.html">Using FPGA</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/PlacementConstraints.html">Placement Constraints</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/YarnUI2.html">YARN UI2</a>
</li>
</ul>
<h5>YARN REST APIs</h5>
<ul>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/WebServicesIntro.html">Introduction</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html">Resource Manager</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/NodeManagerRest.html">Node Manager</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/TimelineServer.html#Timeline_Server_REST_API_v1">Timeline Server</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/TimelineServiceV2.html#Timeline_Service_v.2_REST_API">Timeline Service V.2</a>
</li>
</ul>
<h5>YARN Service</h5>
<ul>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/Overview.html">Overview</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/QuickStart.html">QuickStart</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/Concepts.html">Concepts</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/YarnServiceAPI.html">Yarn Service API</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/ServiceDiscovery.html">Service Discovery</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-site/yarn-service/SystemServices.html">System Services</a>
</li>
</ul>
<h5>Hadoop Compatible File Systems</h5>
<ul>
<li class="none">
<a href="../../hadoop-aliyun/tools/hadoop-aliyun/index.html">Aliyun OSS</a>
</li>
<li class="none">
<a href="../../hadoop-aws/tools/hadoop-aws/index.html">Amazon S3</a>
</li>
<li class="none">
<a href="../../hadoop-azure/index.html">Azure Blob Storage</a>
</li>
<li class="none">
<a href="../../hadoop-azure-datalake/index.html">Azure Data Lake Storage</a>
</li>
<li class="none">
<a href="../../hadoop-cos/cloud-storage/index.html">Tencent COS</a>
</li>
<li class="none">
<a href="../../hadoop-huaweicloud/cloud-storage/index.html">Huaweicloud OBS</a>
</li>
</ul>
<h5>Auth</h5>
<ul>
<li class="none">
<a href="../../hadoop-auth/index.html">Overview</a>
</li>
<li class="none">
<a href="../../hadoop-auth/Examples.html">Examples</a>
</li>
<li class="none">
<a href="../../hadoop-auth/Configuration.html">Configuration</a>
</li>
<li class="none">
<a href="../../hadoop-auth/BuildingIt.html">Building</a>
</li>
</ul>
<h5>Tools</h5>
<ul>
<li class="none">
<a href="../../hadoop-streaming/HadoopStreaming.html">Hadoop Streaming</a>
</li>
<li class="none">
<a href="../../hadoop-archives/HadoopArchives.html">Hadoop Archives</a>
</li>
<li class="none">
<a href="../../hadoop-archive-logs/HadoopArchiveLogs.html">Hadoop Archive Logs</a>
</li>
<li class="none">
<a href="../../hadoop-distcp/DistCp.html">DistCp</a>
</li>
<li class="none">
<a href="../../hadoop-federation-balance/HDFSFederationBalance.html">HDFS Federation Balance</a>
</li>
<li class="none">
<a href="../../hadoop-gridmix/GridMix.html">GridMix</a>
</li>
<li class="none">
<a href="../../hadoop-rumen/Rumen.html">Rumen</a>
</li>
<li class="none">
<a href="../../hadoop-resourceestimator/ResourceEstimator.html">Resource Estimator Service</a>
</li>
<li class="none">
<a href="../../hadoop-sls/SchedulerLoadSimulator.html">Scheduler Load Simulator</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/Benchmarking.html">Hadoop Benchmarking</a>
</li>
<li class="none">
<a href="../../hadoop-dynamometer/Dynamometer.html">Dynamometer</a>
</li>
</ul>
<h5>Reference</h5>
<ul>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/release/">Changelog and Release Notes</a>
</li>
<li class="none">
<a href="../../api/index.html">Java API docs</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/UnixShellAPI.html">Unix Shell API</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/Metrics.html">Metrics</a>
</li>
</ul>
<h5>Configuration</h5>
<ul>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/core-default.xml">core-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs/hdfs-default.xml">hdfs-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-hdfs-rbf/hdfs-rbf-default.xml">hdfs-rbf-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml">mapred-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-yarn/hadoop-yarn-common/yarn-default.xml">yarn-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-kms/kms-default.html">kms-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-hdfs-httpfs/httpfs-default.html">httpfs-default.xml</a>
</li>
<li class="none">
<a href="../../hadoop-project-dist/hadoop-common/DeprecatedProperties.html">Deprecated Properties</a>
</li>
</ul>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img alt="Built by Maven" src="./images/logos/maven-feather.png"/>
</a>
</div>
</div>
<div id="bodyColumn">
<div id="contentBox">
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<h1>CredentialProvider API Guide</h1>
<ul>
<li><a href="#Overview">Overview</a></li>
<li><a href="#Usage">Usage</a>
<ul>
<li><a href="#Usage_Overview">Usage Overview</a>
<ul>
<li><a href="#a"></a></li></ul></li>
<li><a href="#Credential_Management">Credential Management</a>
<ul>
<li><a href="#The_hadoop_credential_Command">The hadoop credential Command</a></li>
<li><a href="#Provider_Types">Provider Types</a></li>
<li><a href="#Keystore_Passwords">Keystore Passwords</a></li>
<li><a href="#Disabling_fallback_to_plain_text">Disabling fallback to plain text</a></li></ul></li></ul></li></ul>
<section>
<h2><a name="Overview"></a>Overview</h2>
<p>The CredentialProvider API is an SPI framework for plugging in extensible credential providers. Credential providers are used to separate the use of sensitive tokens, secrets and passwords from the details of their storage and management. The ability to choose various storage mechanisms for protecting these credentials allows us to keep such sensitive assets out of clear text, away from prying eyes and potentially to be managed by third party solutions.</p>
<p>This document aims to describe the design of the CredentialProvider API, the out of the box implementations, where they are used and how to adopt their use.</p></section><section>
<h2><a name="Usage"></a>Usage</h2><section>
<h3><a name="Usage_Overview"></a>Usage Overview</h3>
<p>Let&#x2019;s provide a quick overview of the use of the credential provider framework for protecting passwords or other sensitive tokens in hadoop.</p><section><section>
<h5><a name="Why_is_it_used.3F"></a>Why is it used?</h5>
<p>There are certain deployments that are very sensitive to how sensitive tokens like passwords are stored and managed within the cluster. For instance, there may be security best practices and policies in place that require such things to never be stored in clear text, for example. Enterprise deployments may be required to use a preferred solution for managing credentials and we need a way to plug in integrations for them.</p></section><section>
<h5><a name="General_Usage_Pattern"></a>General Usage Pattern</h5>
<p>There are numerous places within the Hadoop project and ecosystem that can leverage the credential provider API today and the number continues to grow. In general, the usage pattern consists of the same requirements and flow.</p>
<ol style="list-style-type: decimal">
<li>Provision credentials within provider specific stores. This provisioning may be accomplished through the hadoop credential command or possibly through provider specific management tools.</li>
<li>Configure the credential provider path property. The provider path property <code>hadoop.security.credential.provider.path</code> is a comma separated list of one or more credential provider URIs that is traversed while trying to resolve a credential alias.
<ul>
<li>This property may be configured within core-site.xml or a component specific configuration file that is merged with core-site.xml.</li>
<li>For command line interfaces, such as that for DistCp, the property can be added with a hadoop system property (&#x201c;-D <i>property=value</i>&#x201d;) and dynamically added to the Configuration.</li>
</ul>
</li>
<li>Features or components that leverage the new <a href="../../api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-">Configuration.getPassword</a> method to resolve their credentials will automatically pick up support for the credential provider API.
<ul>
<li>By using the same property names as are used for existing clear text passwords, this mechanism allows for the migration to credential providers while providing backward compatibility for clear text.</li>
<li>The entire credential provider path is interrogated before falling back to clear text passwords in config.</li>
</ul>
</li>
<li>Features or components that do not use Hadoop&#x2019;s <code>org.apache.hadoop.conf.Configuration</code> class for configuration or have other internal uses for the credential providers may choose to use the <code>CredentialProvider</code> API itself. An example of its use can be found within <a href="../../api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-">Configuration.getPassword</a> and within its unit tests.</li>
</ol></section><section>
<h5><a name="Provision_Credentials"></a>Provision Credentials</h5>
<p>Example: <code>ssl.server.keystore.password</code></p>
<div class="source">
<div class="source">
<pre>hadoop credential create ssl.server.keystore.password -value 123 \
-provider localjceks://file/home/lmccay/aws.jceks
</pre></div></div>
<p>The alias names are the same as the configuration properties that were used to get the credentials from the <code>Configuration.get()</code> methods.</p></section><section>
<h5><a name="Configuring_the_Provider_Path"></a>Configuring the Provider Path</h5>
<p>Now, we need to make sure that this provisioned credential store is known at runtime by the <a href="../../api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-">Configuration.getPassword</a> method. If there is no credential provider path configuration then <code>Configuration.getPassword()</code> will skip the credential provider API interrogation. So, it is important that the following be configured within <code>core-site.xml</code> or your component&#x2019;s equivalent.</p>
<div class="source">
<div class="source">
<pre>&lt;property&gt;
&lt;name&gt;hadoop.security.credential.provider.path&lt;/name&gt;
&lt;value&gt;localjceks://file/home/lmccay/aws.jceks&lt;/value&gt;
&lt;description&gt;Path to interrogate for protected credentials.&lt;/description&gt;
&lt;/property&gt;
</pre></div></div>
<p>A couple additional things to note about the provider path:</p>
<ol style="list-style-type: decimal">
<li>The scheme is used to indicate the type of provider in the above case the <code>localjceks</code> provider does not have a dependency on the Hadoop FileSystem APIs. and is needed sometimes to avoid a recursive dependency. Another provider represented by <code>jceks</code>, does use the Hadoop FileSystem APIs and can support keystores provisioned within HDFS or other compatible filesystems. A third provider type is the <code>user</code> type. This provider can manage credentials stored within the Credentials file for a process.</li>
<li>The path configuration accepts a comma separated path of providers or credential stores. The <a href="../../api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-">Configuration.getPassword</a> method will query each of the providers, in order until it resolves the alias or exhausts the list. Depending on the runtime needs for credentials, we may need to configure a chain of providers to check.</li>
</ol>
<p>In summary, first, provision the credentials into a provider then configure the provider for use by a feature or component and it will often just be picked up through the use of the <a href="../../api/org/apache/hadoop/conf/Configuration.html#getPassword-java.lang.String-">Configuration.getPassword</a> method.</p></section><section>
<h5><a name="Supported_Features"></a>Supported Features</h5>
<table border="0" class="bodyTable">
<thead>
<tr class="a">
<th align="left"> Feature\Component </th>
<th align="left"> Description </th>
<th align="left"> Link </th></tr>
</thead><tbody>
<tr class="b">
<td align="left">LDAPGroupsMapping </td>
<td align="left">LDAPGroupsMapping is used to look up the groups for a given user in LDAP. The CredentialProvider API is used to protect the LDAP bind password and those needed for SSL.</td>
<td align="left"><a href="GroupsMapping.html#LDAP_Groups_Mapping">LDAP Groups Mapping</a></td></tr>
<tr class="a">
<td align="left">SSL Passwords </td>
<td align="left">FileBasedKeyStoresFactory leverages the credential provider API in order to resolve the SSL related passwords.</td>
<td align="left">TODO</td></tr>
<tr class="b">
<td align="left">HDFS </td>
<td align="left">DFSUtil uses <code>Configuration.getPassword()</code> use the credential provider API and/or fallback to the clear text value stored in <code>ssl-server.xml</code>. Zookeeper-based federation state store and failover controller use Configuration.getPassword to get the Zookeeper authentication info, with fallback provided to clear text auth info.</td>
<td align="left">TODO</td></tr>
<tr class="a">
<td align="left">YARN </td>
<td align="left">WebAppUtils uptakes the use of the credential provider API through the new method on Configuration called getPassword. This provides an alternative to storing the passwords in clear text within the ssl-server.xml file while maintaining backward compatibility. Zookeeper based resource manager state store uses Configuration.getPassword to get the Zookeeper authentication info, with fallback provided to clear text auth info.</td>
<td align="left">TODO</td></tr>
<tr class="b">
<td align="left">KMS </td>
<td align="left">Uses HttpServer2.loadSSLConfiguration that leverages Configuration.getPassword to read SSL related credentials. They may be resolved through Credential Provider and/or from the clear text in the config when allowed.</td>
<td align="left"><a href="../../hadoop-kms/index.html">KMS</a></td></tr>
<tr class="a">
<td align="left">HttpFS </td>
<td align="left">Uses HttpServer2.loadSSLConfiguration that leverages Configuration.getPassword to read SSL related credentials. They may be resolved through Credential Provider and/or from the clear text in the config when allowed.</td>
<td align="left"><a href="../../hadoop-hdfs-httpfs/ServerSetup.html">HttpFS Server Setup</a></td></tr>
<tr class="b">
<td align="left">AWS <br /> S3A </td>
<td align="left">Uses <code>Configuration.getPassword</code> to get the S3 credentials. They may be resolved through the credential provider API or from the config for backward compatibility.</td>
<td align="left"><a href="../../hadoop-aws/tools/hadoop-aws/index.html">AWS S3/S3A Usage</a></td></tr>
<tr class="a">
<td align="left">Azure <br /> WASB </td>
<td align="left">Uses <code>Configuration.getPassword</code> to get the WASB credentials. They may be resolved through the credential provider API or from the config for backward compatibility.</td>
<td align="left"><a href="../../hadoop-azure/index.html">Azure WASB Usage</a></td></tr>
<tr class="b">
<td align="left">Azure <br /> ADLS </td>
<td align="left">Uses <code>Configuration.getPassword</code> to get the ADLS credentials. They may be resolved through the credential provider API or from the config for backward compatibility.</td>
<td align="left"><a href="../../hadoop-azure-datalake/index.html">Azure ADLS Usage</a></td></tr>
<tr class="a">
<td align="left">Apache <br /> Accumulo</td>
<td align="left">The trace.password property is used by the Tracer to authenticate with Accumulo and persist the traces in the trace table. The credential provider API is used to acquire the trace.password from a provider or from configuration for backward compatibility.</td>
<td align="left">TODO</td></tr>
<tr class="b">
<td align="left">Apache <br /> Slider </td>
<td align="left">A capability has been added to Slider to prompt the user for needed passwords and store them using CredentialProvider so they can be retrieved by an app later.</td>
<td align="left">TODO</td></tr>
<tr class="a">
<td align="left">Apache <br /> Hive </td>
<td align="left">Protection of the metastore password, SSL related passwords and JDO string password has been added through the use of the Credential Provider API</td>
<td align="left">TODO</td></tr>
<tr class="b">
<td align="left">Apache <br /> HBase </td>
<td align="left">The HBase RESTServer is using the new Configuration.getPassword method so that the credential provider API will be checked first then fall back to clear text - when allowed.</td>
<td align="left">TODO</td></tr>
<tr class="a">
<td align="left">Apache <br /> Oozie </td>
<td align="left">Protects SSL, email and JDBC passwords using the credential provider API.</td>
<td align="left">TODO</td></tr>
<tr class="b">
<td align="left">Apache <br /> Ranger </td>
<td align="left">Protects database, trust and keystore passwords using the credential provider API.</td>
<td align="left">TODO</td></tr>
</tbody>
</table></section></section></section><section>
<h3><a name="Credential_Management"></a>Credential Management</h3><section>
<h4><a name="The_hadoop_credential_Command"></a>The <code>hadoop credential</code> Command</h4>
<p>Usage: <code>hadoop credential &lt;subcommand&gt; [options]</code></p>
<p>See the command options detail in the <a href="CommandsManual.html#credential">Commands Manual</a></p>
<p>The credential command can be for provisioning a password or secret to a particular credential store provider. In order to explicitly indicate which provider store to use the <code>-provider</code> option should be used.</p>
<p>Example: <code>hadoop credential create ssl.server.keystore.password -provider jceks://file/tmp/test.jceks</code></p>
<p>In order to indicate a particular provider type and location, the user must provide the <code>hadoop.security.credential.provider.path</code> configuration element in core-site.xml or use the command line option <code>-provider</code> on each of the credential management commands. This provider path is a comma-separated list of URLs that indicates the type and location of a list of providers that should be consulted. For example, the following path: <code>user:///,jceks://file/tmp/test.jceks,jceks://hdfs@nn1.example.com/my/path/test.jceks</code> indicates that the current user&#x2019;s credentials file should be consulted through the User Provider, that the local file located at <code>/tmp/test.jceks</code> is a Java Keystore Provider and that the file located within HDFS at <code>nn1.example.com/my/path/test.jceks</code> is also a store for a Java Keystore Provider.</p></section><section>
<h4><a name="Provider_Types"></a>Provider Types</h4>
<ol style="list-style-type: decimal">
<li>The <code>UserProvider</code>, which is represented by the provider URI <code>user:///</code>, is used to retrieve credentials from a user&#x2019;s Credentials file. This file is used to store various tokens, secrets and passwords that are needed by executing jobs and applications.</li>
<li>The <code>JavaKeyStoreProvider</code>, which is represented by the provider URI <code>jceks://SCHEME/path-to-keystore</code>, is used to retrieve credentials from a Java keystore file in a filesystem <code>&lt;SCHEME&gt;</code> The underlying use of the Hadoop filesystem API allows credentials to be stored on the local filesystem or within cluster stores.</li>
<li>The <code>LocalJavaKeyStoreProvider</code>, which is represented by the provider URI <code>localjceks://file/path-to-keystore</code>, is used to access credentials from a Java keystore that must be stored on the local filesystem. This is needed for credentials that would result in a recursive dependency on accessing HDFS. Anytime that your credential is required to gain access to HDFS we can&#x2019;t depend on getting a credential out of HDFS to do so.</li>
<li>The <code>BouncyCastleFIPSKeyStoreProvider</code>, which is represented by the provider URI <code>bcfks://SCHEME/path-to-keystore</code>, is used to retrieve credentials from a Bouncy Castle FIPS keystore file in a file system <code>&lt;SCHEME&gt;</code> The underlying use of the Hadoop filesystem API allows credentials to be stored on the local filesystem or within cluster stores.</li>
<li>The <code>LocalBcouncyCastleFIPSKeyStoreProvider</code>, which is represented by the provider URI <code>localbcfks://file/path-to-keystore</code>, is used to access credentials from a Bouncy Castle FIPS keystore that must be stored on the local filesystem. This is needed for credentials that would result in a recursive dependency on accessing HDFS. Anytime that your credential is required to gain access to HDFS we can&#x2019;t depend on getting a credential out of HDFS to do so.</li>
</ol>
<p>When credentials are stored in a filesystem, the following rules apply:</p>
<ul>
<li>
<p>Credentials stored in local <code>localjceks://</code> or <code>localbcfks://</code> files are loaded in the process reading in the configuration. For use in a YARN application, this means that they must be visible across the entire cluster, in the local filesystems of the hosts.</p>
</li>
<li>
<p>Credentials stored with the <code>jceks://</code> or <code>bcfks://</code> provider can be stored in the cluster filesystem, and so visible across the cluster &#x2014;but not in the filesystem which requires the specific credentials for their access.</p>
</li>
</ul>
<p>To wrap filesystem URIs with a <code>jceks</code> URI follow these steps. Bouncy Castle FIPS provider follows a similar step by replacing <code>jceks</code> with <code>bcfks</code> along with OS/JDK level FIPS provider configured.</p>
<ol style="list-style-type: decimal">
<li>Take a filesystem URI such as <code>hdfs://namenode:9001/users/alice/secrets.jceks</code></li>
<li>Place <code>jceks://</code> in front of the URL: <code>jceks://hdfs://namenode:9001/users/alice/secrets.jceks</code></li>
<li>Replace the second <code>://</code> string with an <code>@</code> symbol: <code>jceks://hdfs@namenode:9001/users/alice/secrets.jceks</code></li>
</ol>
<p><i>Examples</i></p>
<p>For a local filesystem, a path such as <code>file:///tmp/secrets.jceks</code> would become: <code>jceks://file/tmp/secrets.jceks</code></p>
<table border="0" class="bodyTable">
<thead>
<tr class="a">
<th> Path URI </th>
<th> jceks URI </th></tr>
</thead><tbody>
<tr class="b">
<td> <code>hdfs://namenode.example.org:9001/user/alice/secret.jceks</code> </td>
<td> <code>jceks://hdfs@namenode.example.org:9001/user/alice/secret.jceks</code> </td></tr>
<tr class="a">
<td> <code>file:///tmp/secrets.jceks</code> </td>
<td> <code>jceks://file/tmp/secret.jceks</code> </td></tr>
<tr class="b">
<td> <code>s3a://container1/secrets/secret.jceks</code> </td>
<td> <code>jceks://s3a@container1/secrets/secret.jceks</code> </td></tr>
<tr class="a">
<td> <code>wasb://account@container/secret.jceks</code> </td>
<td> <code>jceks://wasb@account@container/secret.jceks</code> </td></tr>
<tr class="b">
<td> <code>abfs://account@container/secret.jceks</code> </td>
<td> <code>jceks://abfs@account@container/secret.jceks</code> </td></tr>
<tr class="a">
<td> <code>https://user:pass@service/secret.jceks?token=aia</code> </td>
<td> <code>jceks://https@user:pass@service/secret.jceks?token=aia</code> </td></tr>
</tbody>
</table>
<p>Note that to avoid infinite recursion, filesystems such as <code>abfs</code>, <code>s3a</code>, <code>adls</code> and <code>wasb</code> explicitly exclude keystores stored on paths in their own filesystem schemes, even if they are stored in a container which uses a different set of credentials from those being looked up.</p>
<p>As an example, you cannot use credentials stored in <code>s3a://shared/secrets/secret.jceks</code> to read the credentials for the container <code>s3a://private/</code> .</p></section><section>
<h4><a name="Keystore_Passwords"></a>Keystore Passwords</h4>
<p>Keystores in Java are generally protected by passwords. The primary method of protection of the keystore-based credential providers are OS-level file permissions and any other policy based access protection that may exist for the target filesystem. While the password is not a primary source of protection, it is very important to understand the mechanics required and options available for managing these passwords. It is also very important to understand all the parties that will need access to the password used to protect the keystores in order to consume them at runtime.</p><section>
<h5><a name="Options"></a>Options</h5>
<table border="0" class="bodyTable">
<thead>
<tr class="a">
<th align="left"> Option </th>
<th align="left"> Description </th>
<th align="left"> Notes </th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Default password </td>
<td align="left">This is a harcoded password of &#x201c;none&#x201d;. </td>
<td align="left">This is a hardcoded password in an open source project and as such has obvious disadvantages. However, the mechanics section will show that it is simpler and consequently nearly as secure as the other more complex options.</td></tr>
<tr class="a">
<td align="left">Environment variable</td>
<td align="left"><code>HADOOP_CREDSTORE_PASSWORD</code></td>
<td align="left">This option uses an environment variable to communicate the password that should be used when interrogating all of the keystores that are configured in the <code>hadoop.security.credential.provider.path</code> configuration property. All of the keystore based providers in the path will need to be protected by the same password.</td></tr>
<tr class="b">
<td align="left">Password-file</td>
<td align="left"><code>hadoop.security.credstore.java-keystore-provider.password-file</code></td>
<td align="left">This option uses a &#x201c;side file&#x201d; that has its location configured in the <code>hadoop.security.credstore.java-keystore-provider.password-file</code> configuration property to communicate the password that should be used when interrogating all of the keystores that are configured in the <code>hadoop.security.credential.provider.path</code> configuration property.</td></tr>
</tbody>
</table></section><section>
<h5><a name="Mechanics"></a>Mechanics</h5>
<p>Extremely important to consider that <i>all</i> of the runtime consumers of the credential being protected (mapreduce jobs/applications) will need to have access to the password used to protect the keystore providers. Communicating this password can be done a number of ways and they are described in the Options section above.</p>
<table border="0" class="bodyTable">
<thead>
<tr class="a">
<th align="left">Keystore Password</th>
<th align="left"> Description</th>
<th align="left">Sync Required</th>
<th align="left">Clear Text</th>
<th align="left">File Permissions</th></tr>
</thead><tbody>
<tr class="b">
<td align="left">Default Password</td>
<td align="left">Hardcoded password is the default. Essentially, when using the default password for all keystore-based credential stores, we are leveraging the file permissions to protect the credential store and the keystore password is just a formality of persisting the keystore.</td>
<td align="left">No</td>
<td align="left">Yes</td>
<td align="left">No (documented)</td></tr>
<tr class="a">
<td align="left">Environment Variable</td>
<td align="left">The <code>HADOOP_CREDSTORE_PASSWORD</code> environment variable must be set to the custom password for all keystores that may be configured in the provider path of any process that needs to access credentials from a keystore-based credential provider. There is only one env variable for the entire path of comma-separated providers. It is difficult to know the passwords required for each keystore and it is suggested that the same be used for all keystore-based credential providers to avoid this issue. Setting the environment variable will likely require it to be set from a script or some other clear text storage mechanism. Environment variables for running processes are available from various unix commands.</td>
<td align="left">Yes</td>
<td align="left">Yes</td>
<td align="left">No</td></tr>
<tr class="b">
<td align="left">Password File</td>
<td align="left"><code>hadoop.security.credstore.java-keystore-provider.password-file</code> configuration property must be set to the location of the &#x201c;side file&#x201d; that contains the custom password for all keystores that may be configured in the provider path. Any process that needs to access credentials from a keystore-based credential provider will need to have this configuration property set to the appropriate file location. There is only one password-file for the entire path of comma separated providers. It is difficult to know the passwords required for each keystore and it is therefore suggested that the same be used for all keystore-based credential providers to avoid this issue. Password-files are additional files that need to be managed, store the password in clear text and need file permissions to be set such that only those that need access to them have it. If file permissions are set inappropriately the password to access the keystores is available in clear text.</td>
<td align="left">Yes</td>
<td align="left">Yes</td>
<td align="left">Yes</td></tr>
</tbody>
</table>
<p>The use of the default password means that no additional communication/synchronization to runtime consumers needs to be done. The default password is known but file permissions are the primary protection of the keystore.</p>
<p>When file permissions are thwarted, unlike &#x201c;side files&#x201d;, there are no standard tools that can expose the protected credentials - even with the password known. Keytool requires a password that is six characters or more and doesn&#x2019;t know how to retrieve general secrets from a keystore. It is also limited to PKI keypairs. Editors will not reveal the secrets stored within the keystore, nor will <code>cat</code>, <code>more</code> or any other standard tools. This is why the keystore providers are better than &#x201c;side file&#x201d; storage of credentials.</p>
<p>That said, it is trivial for someone to write code to access the credentials stored within a keystore-based credential provider using the API. Again, when using the default password, the password is merely a formality of persisting the keystore. The <i>only</i> protection is file permissions and OS level access policy.</p>
<p>Users may decide to use a password &#x201c;side file&#x201d; to store the password for the keystores themselves and this is supported. It is just really important to be aware of the mechanics required for this level of correctness.</p></section></section><section>
<h4><a name="Disabling_fallback_to_plain_text"></a>Disabling fallback to plain text</h4>
<p>The <code>Credentials.getPassword()</code> operation falls back to using entries in the configuration XML files if there are no credential providers, or if a key cannot be found.</p>
<p>This action can be disabled by changing the configuration option <code>hadoop.security.credential.clear-text-fallback</code> from <code>true</code> to <code>false</code>:</p>
<div class="source">
<div class="source">
<pre>&lt;property&gt;
&lt;name&gt;hadoop.security.credential.clear-text-fallback&lt;/name&gt;
&lt;value&gt;false&lt;/value&gt;
&lt;description&gt;
true or false to indicate whether or not to fall back to storing credential
password as clear text. The default value is true. This property only works
when the password can't not be found from credential providers.
&lt;/description&gt;
&lt;/property&gt;
</pre></div></div>
<p>Once set, <i>all configuration options looked up via the <code>getPassword()</code> API must be served via a credential provider</i>.</p></section></section></section>
</div>
</div>
<div class="clear">
<hr/>
</div>
<div id="footer">
<div class="xright">
&#169; 2008-2023
Apache Software Foundation
- <a href="http://maven.apache.org/privacy-policy.html">Privacy Policy</a>.
Apache Maven, Maven, Apache, the Apache feather logo, and the Apache Maven project logos are trademarks of The Apache Software Foundation.
</div>
<div class="clear">
<hr/>
</div>
</div>
</body>
</html>