[jira] [Commented] (DRILL-6662) Access AWS access key ID and secret access key using Credential Provider API for S3 storage plugin

Fri, 03 Aug 2018 04:36:30 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-6662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568118#comment-16568118
 ] 

Bohdan Kazydub commented on DRILL-6662:
---------------------------------------

[[email protected]], thank you for suggestion, but currently Drill uses older 
version of Hadoop (2.7.1) which does not have the utility class.

On the other hand, each plugin instance corresponds to an individual bucket, so 
there is a possibility to configure provider path to reference file containing 
bucket-specific keys.

 

> Access AWS access key ID and secret access key using Credential Provider API 
> for S3 storage plugin
> --------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-6662
>                 URL: https://issues.apache.org/jira/browse/DRILL-6662
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Bohdan Kazydub
>            Assignee: Bohdan Kazydub
>            Priority: Major
>
> Hadoop provides [CredentialProvider 
> API|[https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html]]
>  which allows passwords and other sensitive secrets to be stored in an 
> external provider rather than in configuration files in plaintext.
> Currently S3 storage plugin is accessing passwords, namely 
> 'fs.s3a.access.key' and 'fs.s3a.secret.key', stored in clear text in 
> Configuration with get() method. To give users an ability to remove clear 
> text passwords for S3 from configuration files Configuration.getPassword() 
> method should be used, given they configure 
> 'hadoop.security.credential.provider.path' property which points to a file 
> containing encrypted passwords instead of configuring two aforementioned 
> properties.
> By using this approach, credential providers will be checked first and if the 
> secret is not provided or providers are not configured there will be a 
> fallback to secrets configured in clear text (unless 
> 'hadoop.security.credential.clear-text-fallback' is configured to be 
> "false"), thus making new change backwards-compatible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to