You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2018/08/28 21:30:00 UTC

[jira] [Commented] (HADOOP-14833) Remove s3a user:secret authentication

    [ https://issues.apache.org/jira/browse/HADOOP-14833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16595627#comment-16595627 ] 

Steve Loughran commented on HADOOP-14833:
-----------------------------------------

Patch 001

Includes changes to
* docs, with new error message explained
* aws credential providers, which now throw IOEs on construction when needed -these are handled OK
* S3xLoginHelper never extracts the real password; acts as the check to stop secrets in URIs being allowed
* Remove the now-obsolete and always private BasicAWSCredentialsProvider
* All the tests updated to match

User names in s3a URIS are still allowed, e.g s3a://bob@bucket/; the normal auth path is used. This is because Daryn's HADOOP-15446 patch seems to like them. If that was done just to allow user:pass secrets to generate their own DT then I'll cut that here and from the DT code.

Contains HADOOP-14762 S3A warning of obsolete encryption key which is never used as the codepaths were crossing, and this was a big cleanup of deprecated stuff. We never actually shipped that setting, though I think something in CDH did. I've tried to make the diff as minimal as possible there, and we could pull it out into its own patch if wanted.

Tested: S3 Ireland; dynamodb

> Remove s3a user:secret authentication
> -------------------------------------
>
>                 Key: HADOOP-14833
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14833
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.0.0-beta1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: HADOOP-14833-001.patch
>
>
> Remove the s3a://user:secret@host auth mechanism from S3a
> I think we could consider retain it as an explicit credential provider you can ask for, so that people who cannot move off it (yet) can reconfigure their system, but unless you do that, it stops working. 
> We could add a dummy credential handler which recognises the user:secret pattern & then tells the user "no longer supported, sorry, here's how to migrate", & add that to the default chain after everything else.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org