When Hadoop components (HDFS et. al.) are configured to connect to external sources like LDAP, the LDAP bind passwords need to be given in configuration file (core-site.xml) in clear text. For many enterprise environments, having password in clear text is not allowed and is often flagged as risk in Security Audits.
This article teaches Hadoop administrators on how to secure these plaintext password in Hadoop configuration.
1. Before starting, make sure that LDAP bind is working with plain text password. So, the HDFS should be configured with these settings in core-site.xml (the following values should be changed to match your LDAP/AD environment. These are working example values from my AD setup)
With this basic setup, we are ready to secure our plaintext password.
3. Hadoop offers Credential Provider APIs which can be used to secure various passwords (not just LDAP bind password) in secure JCEKS (Java Cryptography Extension KeyStore) files. We will use the same in this article.
4. First of all, create a JCEKS file using hadoop credential command to store property name & bind password:
# hadoop credential create hadoop.security.group.mapping.ldap.bind.password -value s0mePassw0rd -provider jceks://file/etc/security/bind.jceks
hadoop.security.group.mapping.ldap.bind.password has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
This command creates a /etc/security/bind.jceks file with encrypted password & default permission of 700.
5. Update file permission of /etc/security/bind.jceks to 755 for root user.
# chmod 755 /etc/security/bind.jceks
# ls -l /etc/security/bind.jceks
-rwxr-xr-x. 1 root root 533 Feb 15 20:00 /etc/security/bind.jceks
6. Let's use this credential provider in Hadoop configuration (core-site.xml):