You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2016/08/16 04:58:22 UTC

[jira] [Commented] (HADOOP-13252) Tune S3A provider plugin mechanism

    [ https://issues.apache.org/jira/browse/HADOOP-13252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422171#comment-15422171 ] 

Chris Nauroth commented on HADOOP-13252:
----------------------------------------

The patch looks good.  I have just a few minor comments.

In core-default.xml, please mention that the list of credentials provider classes is comma-separated.

Please add visibility/stability annotations to {{AWSCredentialProviderList}}.

{code}
which integrate with the AWS SDK by implementing the `om.amazonaws.auth.AWSCredentialsProvider`.
{code}

Typo in class name.

{code}
1. Alowing anonymous access to an S3 bucket compromises
{code}

Typo: "Allowing"

{code}
from placing its declaration on the commant line.
{code}

Typo: "command"


> Tune S3A provider plugin mechanism
> ----------------------------------
>
>                 Key: HADOOP-13252
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13252
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: HADOOP-13252-branch-2-001.patch, HADOOP-13252-branch-2-003.patch, HADOOP-13252-branch-2-004.patch
>
>
> We've now got some fairly complex auth mechanisms going on: -hadoop config, KMS, env vars, "none". IF something isn't working, it's going to be a lot harder to debug.
> Review and tune the S3A provider point
> * add logging of what's going on in s3 auth to help debug problems
> * make a whole chain of logins expressible
> * allow the anonymous credentials to be included in the list
> * review and updated documents.
> I propose *carefully* adding some debug messages to identify which auth provider is doing the auth, so we can see if the env vars were kicking in, sysprops, etc.
> What we mustn't do is leak any secrets: this should be identifying whether properties and env vars are set, not what their values are. I don't believe that this will generate a security risk.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org