Attached document with possible ways to implement this feature.
As Larry McCay commented in HIVE-17014. - "we may want to consider the use of the CredentialProvider API that will be committed soon.
HADOOP-10607. This isn't mutually exclusive with the password file approach as there are plans to fallback to existing password files in certain components. However, the abstraction of the API is best realized through the new Configuration.getPassword(String name) method. This will allow you to ask for a configuration item that you know is a password and it will check for an aliased credential based on the name through the CredentialProvider API. If the name is not resolved into a credential from a provider then it falls back to the config file."
Would be happy to discuss this approach with other members.