hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-9534) Credential Management Framework (CMF)
Date Wed, 01 May 2013 17:20:16 GMT
Larry McCay created HADOOP-9534:

             Summary: Credential Management Framework (CMF)
                 Key: HADOOP-9534
                 URL: https://issues.apache.org/jira/browse/HADOOP-9534
             Project: Hadoop Common
          Issue Type: Sub-task
          Components: security
            Reporter: Larry McCay

The credential management framework consists of library for securing, acquiring and rolling
credentials for a given Hadoop service.

Specifically the library will provide:

1. Password Indirection or Aliasing
2. Management of identity and trust keystores
3. Rolling of key pairs and credentials
4. Discovery of externally provisioned credentials
5. Service specific CMF secret protection

Password Indirection or Aliasing:
By providing alias based access to actual secrets stored within a service specific JCEKS keystore,
we are able to eliminate the need for any secret to be stored in clear text on the filesystem.
This is a current redflag during security reviews for many customers.

Management of Identity and Trust Keystores:
Service specific identity and trust keystores will be managed by a combination of the HSSO
service and CMF. 

Upon registration with the HSSO service a dependent service will be able discover externally
provisioned keystores or have them created by the HSSO service on its behalf. The public key
of the HSSO service will be provided to the service to be imported into its service specific
trust store.

Service specific keystores and credential stores will be protected with the service specific
CMF secret.

Rolling of Keypairs and Credentials:
The ability to automate the rolling of PKI keypairs and credentials provide the services a
common facility for discovering new HSSO public keys and the need and means to roll their
own credentials while being able to retain a number of previous values (as needed).

Discovery of Externally Provisioned Credentials:
For environments that want control over the certificate generation and provisioning, CMF provides
the ability to discover preprovisioned artifacts based on naming conventions of the artifacts
and the use of the service specific CMF secret to access the credentials within the keystores.

Service Specific CMF Secret Protection:
By providing a common facility to prompt for and optionally persist a service specific CMF
secret at service installation/startup, we enable the ability to protect all the service specific
security artifacts with this protected secret. It is protected with a combination of AES 128
bit encryption and file permissions set for only the service specific OS user.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message