You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/06/09 11:45:21 UTC
[jira] [Commented] (HADOOP-13252) add logging of what's going on in
s3 auth to help debug problems
[ https://issues.apache.org/jira/browse/HADOOP-13252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15322385#comment-15322385 ]
Larry McCay commented on HADOOP-13252:
--------------------------------------
[~stevel@apache.org] - by auth mechanisms, it seems that you mean mechanisms for looking up credentials for auth. Correct? I'd just like to point out that indicating "none" is leaking a secret - whether this be done explicitly or implicitly.
We may want to leave this to indicating whether hadoop config of the credentials or a credential provider is being used. Not the level of detail that you are looking for but it would at least point someone with proper permissions to read the config to the right place.
> add logging of what's going on in s3 auth to help debug problems
> ----------------------------------------------------------------
>
> Key: HADOOP-13252
> URL: https://issues.apache.org/jira/browse/HADOOP-13252
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 2.8.0
> Reporter: Steve Loughran
> Priority: Minor
>
> We've now got some fairly complex auth mechanisms going on: -hadoop config, KMS, env vars, "none". IF something isn't working, it's going to be a lot harder to debug.
> I propose *carefully* adding some debug messages to identify which auth provider is doing the auth, so we can see if the env vars were kicking in, sysprops, etc.
> What we mustn't do is leak any secrets: this should be identifying whether properties and env vars are set, not what their values are. I don't believe that this will generate a security risk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org