[jira] [Commented] (HADOOP-14833) Remove s3a user:secret authentication

[Steve Loughran (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16595627#comment-16595627
 ] 

Steve Loughran commented on HADOOP-14833:
-----------------------------------------

Patch 001

Includes changes to
* docs, with new error message explained
* aws credential providers, which now throw IOEs on construction when needed 
-these are handled OK
* S3xLoginHelper never extracts the real password; acts as the check to stop 
secrets in URIs being allowed
* Remove the now-obsolete and always private BasicAWSCredentialsProvider
* All the tests updated to match

User names in s3a URIS are still allowed, e.g s3a://bob@bucket/; the normal 
auth path is used. This is because Daryn's HADOOP-15446 patch seems to like 
them. If that was done just to allow user:pass secrets to generate their own DT 
then I'll cut that here and from the DT code.

Contains HADOOP-14762 S3A warning of obsolete encryption key which is never 
used as the codepaths were crossing, and this was a big cleanup of deprecated 
stuff. We never actually shipped that setting, though I think something in CDH 
did. I've tried to make the diff as minimal as possible there, and we could 
pull it out into its own patch if wanted.

Tested: S3 Ireland; dynamodb

> Remove s3a user:secret authentication
> -------------------------------------
>
>                 Key: HADOOP-14833
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14833
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.0.0-beta1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: HADOOP-14833-001.patch
>
>
> Remove the s3a://user:secret@host auth mechanism from S3a
> I think we could consider retain it as an explicit credential provider you 
> can ask for, so that people who cannot move off it (yet) can reconfigure 
> their system, but unless you do that, it stops working. 
> We could add a dummy credential handler which recognises the user:secret 
> pattern & then tells the user "no longer supported, sorry, here's how to 
> migrate", & add that to the default chain after everything else.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org