[jira] [Commented] (HADOOP-15672) add s3guard CLI command to generate session keys for an assumed role

Thu, 26 Sep 2019 12:25:24 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16938905#comment-16938905
 ] 

Steve Loughran commented on HADOOP-15672:
-----------------------------------------

I don't think we need this any more. I have successfully issued session 
delegation tokens and then loaded them back from a file for authentication.

That is: you can use hadoop dfsutil to save a token you can then pass on to 
others via email, etc. This includes encryption. Closing as DONE

> add s3guard CLI command to generate session keys for an assumed role
> --------------------------------------------------------------------
>
>                 Key: HADOOP-15672
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15672
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.2.0
>            Reporter: Steve Loughran
>            Priority: Minor
>
> the aws cli 
> [get-session-token|https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html]
>  can generate the keys for short-lived session.
> I'd like something similar in an s3guard command, e.g. "create-role-keys", 
> which would take the existing (full) credentials and optionally: 
>  * ARN of role to adopt
>  * duration
>  * name
>  * restrictions as path to a JSON file or just stdin
>  * output format
>  * whether to use a per-bucket binding for the credentials in the property 
> names generated
>  * MFA secrets
> output formats
> * A JCEKS file (with chosen passwd? For better hive use: append/replace 
> entries in existing file); saved through the hadoop FS APIs to HDFS, file:// 
> or elsewhere
> * hadoop config XML
> * spark properties
> The goal here is to have a workflow where you can generate role credentials 
> to use for a limited time, store them in a JCEKS file and then share them in 
> your jobs. This can be for: Jenkins, Oozie, build files, ..



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to