[jira] [Commented] (DRILL-6662) Access AWS access key ID and secret access key using Credential Provider API for S3 storage plugin

Fri, 21 Dec 2018 20:20:57 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-6662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16727209#comment-16727209
 ] 

Bridget Bevens commented on DRILL-6662:
---------------------------------------

Hi [~KazydubB],

I've added a section to the s3 storage plugin config doc here:

[https://drill.apache.org/docs/s3-storage-plugin/#using-an-external-provider-for-credentials]
 

Please have a look and let me know if I need to make any changes.

Thanks!

Bridget

> Access AWS access key ID and secret access key using Credential Provider API 
> for S3 storage plugin
> --------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-6662
>                 URL: https://issues.apache.org/jira/browse/DRILL-6662
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Bohdan Kazydub
>            Assignee: Bohdan Kazydub
>            Priority: Major
>              Labels: doc-impacting, ready-to-commit
>             Fix For: 1.15.0
>
>
> Hadoop provides [CredentialProvider 
> API|[https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html]]
>  which allows passwords and other sensitive secrets to be stored in an 
> external provider rather than in configuration files in plaintext.
> Currently S3 storage plugin is accessing passwords, namely 
> 'fs.s3a.access.key' and 'fs.s3a.secret.key', stored in clear text in 
> Configuration with get() method. To give users an ability to remove clear 
> text passwords for S3 from configuration files Configuration.getPassword() 
> method should be used, given they configure 
> 'hadoop.security.credential.provider.path' property which points to a file 
> containing encrypted passwords instead of configuring two aforementioned 
> properties.
> By using this approach, credential providers will be checked first and if the 
> secret is not provided or providers are not configured there will be a 
> fallback to secrets configured in clear text (unless 
> 'hadoop.security.credential.clear-text-fallback' is configured to be 
> "false"), thus making new change backwards-compatible.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to