credential
Manages credentials, passwords, and secrets within credential providers.
The CredentialProvider API in Arenadata Hadoop allows for the separation of applications and how they store their passwords/secrets.
In order to indicate particular provider type and location, use the hadoop.security.credential.provider.path
parameter in core-site.xml or use the command line option -provider
on each of the following commands.
This provider path is a comma-separated list of URLs that indicates the type and location of list of providers that should be consulted.
For example, the path user:///jceks://file/tmp/test.jceks,jceks://hdfs@nn1.example.com/my/path/test.jceks indicates that:
-
the current user’s credentials file should be addressed via the User Provider;
-
the local file /tmp/test.jceks is a Java Keystore Provider;
-
the HDFS file nn1.example.com/my/path/test.jceks is also a store for Java Keystore Provider.
The credential
command is often used for provisioning passwords or secrets to a particular credential store provider.
In order to explicitly indicate which provider store to use, the the -provider
option.
Otherwise, for the given path of multiple providers, the first non-transient provider will be used. This may or may not be the one that you want.
Providers frequently require a password or other secrets.
If a provider requires a password and is unable to find one, it will use the default password and emit a warning message that the default password is being used.
If the -strict
flag is supplied, the warning message becomes an error message and the command returns immediately with an error status.
The usage is as follows:
$ hadoop credential <subcommand> [options]
print [-alias alias ] filename [ filename2 …] |
Prints the token fields contained in filename (filename2, and so on). |
get URL |
Fetches tokens from a service using a URL and places it in the file. |
append |
Appends the contents of the first |
remove -alias alias |
Removes the tokens matching |
cancel -alias alias |
Acts similarly to |
renew -alias alias |
For each file specified, renews the tokens matching |
import base64 |
Imports a Base64 token. |
Example:
$ hadoop credential list -provider jceks://file/tmp/test.jceks