[jira] [Commented] (HADOOP-14833) Remove s3a user:secret authentication

Mingliang Liu (JIRA) Fri, 31 Aug 2018 16:40:13 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-14833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16599388#comment-16599388
 ]


Mingliang Liu commented on HADOOP-14833:
----------------------------------------

+1

Trivial comments:
# If in URI, there is no pass but username, we ignore the username and not 
report error. Should we warn people that the user in URI is not actually 
respected or used?
# In {{index.md}}, the item "{{1. Logging the `AWS_` environment variables.}}" 
better to have a blank line after it. My markdown software consider the line 
"{{If you do any of these: change your credentials immediately!}}" the same 
line instead of a summary after the whole list.
# I know it's irrelevant, but can we add {{@Override}} annotation to 
{{SimpleAWSCredentialsProvider::getCredentials()}}? And 
{{TemporaryAWSCredentialsProvider::getCredentials()}}.
# {{S3xLoginHelper::extractLoginDetailsWithWarnings}} calls 
{{extractLoginDetails()}} twice (indirectly and directly). Maybe we can call it 
only once.
# When I searched "basic" in {{index.md}}, I found following section for simple 
provider.
{quote}
*Simple name/secret credentials with `SimpleAWSCredentialsProvider`*
...
Apart from its lack of support of user:password details being included in 
filesystem
URLs (a dangerous practise that is strongly discouraged), this provider acts
exactly at the basic authenticator used in the default authentication chain.
{quote}
I know it's irrelevant, but:
#- the title should be {color:#205081}{{### <a name="auth_simple"></a> Simple 
name/secret credentials with `SimpleAWSCredentialsProvider`}}{color}
#- the "at" should be "as" in the last sentence?

> Remove s3a user:secret authentication
> -------------------------------------
>
>                 Key: HADOOP-14833
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14833
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.0.0-beta1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>         Attachments: HADOOP-14833-001.patch
>
>
> Remove the s3a://user:secret@host auth mechanism from S3a. 
> As well as being insecure, it causes problems with S3Guard's URI matching 
> code.
> Proposed: cull it utterly. We've been telling people to stop using it since 
> HADOOP-3733



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HADOOP-14833) Remove s3a user:secret authentication

Reply via email to