[HADOOP-18066] AbstractJavaKeyStoreProvider: need a way to read credential store password from Configuration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Wish
Status: Resolved
Priority: Major
Resolution: Invalid
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
- pull-request-available

Description

Codepath in focus is this

      password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR,
          conf.get(CREDENTIAL_PASSWORD_FILE_KEY));

Since ~~HIVE-14822~~, we can use custom keystore that Hiveserver2 propagates to jobs/tasks of different execution engines (mr, tez, spark).
We're able to pass any "jceks:" url, but not a password, e.g. on this codepath:

Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879) ~[sunjce_provider.jar:1.8.0_232]
	at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_232]
	at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.locateKeystore(AbstractJavaKeyStoreProvider.java:326) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:86) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.KeyStoreProvider.<init>(KeyStoreProvider.java:49) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:42) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:35) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:73) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2409) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2347) ~[hadoop-common-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getPasswordString(AbfsConfiguration.java:295) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]
	at org.apache.hadoop.fs.azurebfs.AbfsConfiguration.getTokenProvider(AbfsConfiguration.java:525) ~[hadoop-azure-3.1.1.7.1.7.0-551.jar:?]

Even there is a chance of reading a text file, it's not secure, we need to try reading a Configuration property first and if it's null, we can go to the environment variable.
Hacking the System.getenv() is only possible with reflection, doesn't look so good.

Attachments

Issue Links

blocks

HIVE-25829 Tez exec mode support for credential provider for jobs

Closed

is related to

HIVE-14822 Add support for credential provider for jobs launched from Hiveserver2

Resolved

links to

GitHub Pull Request #3865

Activity

People

Assignee:: Unassigned

Reporter:: László Bodor

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Jan/22 15:22

Updated:: 15/Feb/22 17:56

Resolved:: 10/Jan/22 10:28

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 50m