Community Articles

Find and share helpful community-sourced technical articles.
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)


When Hadoop components (HDFS et. al.) are configured to connect to external sources like LDAP, the LDAP bind passwords need to be given in configuration file (core-site.xml) in clear text. For many enterprise environments, having password in clear text is not allowed and is often flagged as risk in Security Audits.

This article teaches Hadoop administrators on how to secure these plaintext password in Hadoop configuration.

Configuration Steps:

1. Before starting, make sure that LDAP bind is working with plain text password. So, the HDFS should be configured with these settings in core-site.xml (the following values should be changed to match your LDAP/AD environment. These are working example values from my AD setup),dc=lab,dc=hortonworks,dc=net,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net

Notice that the LDAP bind password is in clear text.

2. Also at this point, HDFS should be able to resolve LDAP group(s) for an LDAP user. To check, use this command - hdfs groups <username>. For example,

# hdfs groups hr1
hr1 : hadoop-users hadoop-admins HDP Ranger Admins

With this basic setup, we are ready to secure our plaintext password.

3. Hadoop offers Credential Provider APIs which can be used to secure various passwords (not just LDAP bind password) in secure JCEKS (Java Cryptography Extension KeyStore) files. We will use the same in this article.

4. First of all, create a JCEKS file using hadoop credential command to store property name & bind password:

# hadoop credential create -value s0mePassw0rd -provider jceks://file/etc/security/bind.jceks has been successfully created. has been updated.

This command creates a /etc/security/bind.jceks file with encrypted password & default permission of 700.

5. Update file permission of /etc/security/bind.jceks to 755 for root user.

# chmod 755 /etc/security/bind.jceks
# ls -l /etc/security/bind.jceks
-rwxr-xr-x. 1 root root 533 Feb 15 20:00 /etc/security/bind.jceks

6. Let's use this credential provider in Hadoop configuration (core-site.xml):

and remove property as well.

7. Restart HDFS NameNode service to load new property.

8. Verify that the LDAP groups are still able to resolve for an LDAP user.


Do you know what encryption algorithm the Hadoop Credential Store uses? I need to encrypt the LDAP password with AES-256 algorithm.