hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10868) Create a ZooKeeper-backed secret provider
Date Tue, 09 Sep 2014 23:49:29 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14127812#comment-14127812

Alejandro Abdelnur commented on HADOOP-10868:


The following code seems it could be (most of it) push down to each provider impl:

        if (signerSecretProviderName.equals("string")) {
          String signatureSecret =
              config.getProperty(configPrefix + SIGNATURE_SECRET, null);
          secretProvider = new StringSignerSecretProvider(signatureSecret);
        } else if (signerSecretProviderName.equals("random")) {
          secretProvider = new RandomSignerSecretProvider();
          randomSecret = true;
        } else if (signerSecretProviderName.equals("zookeeper")) {
          Object curatorClientObj = filterConfig.getServletContext()
          if (curatorClientObj != null
                  && curatorClientObj instanceof CuratorFramework) {
            secretProvider =
                new ZKSignerSecretProvider((CuratorFramework) curatorClientObj);
          } else {
            secretProvider = new ZKSignerSecretProvider();

I would have a a function that gives me the Class of the provider, i.e.:

  private Class<? extends SignerSecretProvider> getProviderClass(String name) {
    if ("random".equals(name)) {
      name = RandomSignerSecretProvider.class.getName();
    } else if ("string".equals(name)) {
      name = StringSignerSecretProvider.class.getName();
    } else if ("zookeeper".equals(name)) {
      name = ZookeeperSignerSecretProvider.class.getName();
      name = RandomSignerSecretProvider.class.getName();
    try {
      return (Class<SignerSecretProvider>) Thread.currentThread().
    } catch (Exception ex) {
      throw new ServletException(ex);

Then I would use {{ReflectionUtils.newInstance(providerClass, conf)}} to instantiate it. 
I would add {{ServletContext}} as param to the {{init()}} method which in the case of ZK impl
would be used to retrieve the curator from the context or create a new one (all within the
ZK impl). For the string impl, the string secret would obtained from the config properties
of the {{init()}}.

* curator-test should be with scope 'test'

* line 334, log message, type 'occured'
* the ser/deser of the data we store in zookeeper, please add a version number at the beginning.
This will allow us to change things in the future and support rolling upgrades.
* once you have a curator client, it will handle reconnections correctly? else the {{createCuratorClient}}
should be you have to be redo after a failed attempt.
* I don’t like that ZK uses system properties for the auth info, but I guess that is has
to be :(. I’ll dig into this a bit while you take care of the other feedback.

> Create a ZooKeeper-backed secret provider
> -----------------------------------------
>                 Key: HADOOP-10868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10868
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: HADOOP-10868.patch, HADOOP-10868.patch, HADOOP-10868.patch, HADOOP-10868_branch-2.patch,
HADOOP-10868_branch-2.patch, HADOOP-10868_branch-2.patch
> Create a secret provider (see HADOOP-10791) that is backed by ZooKeeper and can synchronize
amongst different servers.

This message was sent by Atlassian JIRA

View raw message