[jira] [Commented] (DRILL-6662) Access AWS access key ID and secret access key using Credential Provider API for S3 storage plugin

Fri, 03 Aug 2018 16:09:06 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-6662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568901#comment-16568901
 ] 

Steve Loughran commented on DRILL-6662:
---------------------------------------

bq. Drill uses older version of Hadoop (2.7.1) which does not have the utility 
class.

no, it doesn't have the per-bucket stuff, but can be used as a copy-and-paste 
reference implementation of how the S3A connector itself does its password 
lookup. And: you are free to upgrade, at least to a later version of the 2.7.x 
line

> Access AWS access key ID and secret access key using Credential Provider API 
> for S3 storage plugin
> --------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-6662
>                 URL: https://issues.apache.org/jira/browse/DRILL-6662
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Bohdan Kazydub
>            Assignee: Bohdan Kazydub
>            Priority: Major
>
> Hadoop provides [CredentialProvider 
> API|[https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html]]
>  which allows passwords and other sensitive secrets to be stored in an 
> external provider rather than in configuration files in plaintext.
> Currently S3 storage plugin is accessing passwords, namely 
> 'fs.s3a.access.key' and 'fs.s3a.secret.key', stored in clear text in 
> Configuration with get() method. To give users an ability to remove clear 
> text passwords for S3 from configuration files Configuration.getPassword() 
> method should be used, given they configure 
> 'hadoop.security.credential.provider.path' property which points to a file 
> containing encrypted passwords instead of configuring two aforementioned 
> properties.
> By using this approach, credential providers will be checked first and if the 
> secret is not provided or providers are not configured there will be a 
> fallback to secrets configured in clear text (unless 
> 'hadoop.security.credential.clear-text-fallback' is configured to be 
> "false"), thus making new change backwards-compatible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to