[
https://issues.apache.org/jira/browse/HADOOP-13122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278144#comment-15278144
]
Chris Nauroth commented on HADOOP-13122:
----------------------------------------
No, I don't think there is a risk of security exposure. The format of the
User-Agent will be <custom prefix>, <Hadoop version>, <SDK info>. The <SDK
info> part is controlled completely by the AWS SDK. This is what gets sent
today without the patch. The <Hadoop version> is filled in programmatically
from the build details embedded in the jar, so I don't expect this would ever
contain anything sensitive. I suppose the only problem is if a user willfully
set something sensitive into {{fs.s3a.user.agent.prefix}}. I wouldn't expect
that to happen in practice, but if you feel there is a risk here, then I can
add a note in core-default.xml and the docs warning people not to do that. Let
me know your thoughts.
> Customize User-Agent header sent in HTTP requests by S3A.
> ---------------------------------------------------------
>
> Key: HADOOP-13122
> URL: https://issues.apache.org/jira/browse/HADOOP-13122
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HADOOP-13122.001.patch
>
>
> S3A passes a User-Agent header to the S3 back-end. Right now, it uses the
> default value set by the AWS SDK, so Hadoop HTTP traffic doesn't appear any
> different from general AWS SDK traffic. If we customize the User-Agent
> header, then it will enable better troubleshooting and analysis by AWS or
> alternative providers of S3-like services.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
