[ https://issues.apache.org/jira/browse/HADOOP-13122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278144#comment-15278144 ]
Chris Nauroth commented on HADOOP-13122: ---------------------------------------- No, I don't think there is a risk of security exposure. The format of the User-Agent will be <custom prefix>, <Hadoop version>, <SDK info>. The <SDK info> part is controlled completely by the AWS SDK. This is what gets sent today without the patch. The <Hadoop version> is filled in programmatically from the build details embedded in the jar, so I don't expect this would ever contain anything sensitive. I suppose the only problem is if a user willfully set something sensitive into {{fs.s3a.user.agent.prefix}}. I wouldn't expect that to happen in practice, but if you feel there is a risk here, then I can add a note in core-default.xml and the docs warning people not to do that. Let me know your thoughts. > Customize User-Agent header sent in HTTP requests by S3A. > --------------------------------------------------------- > > Key: HADOOP-13122 > URL: https://issues.apache.org/jira/browse/HADOOP-13122 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 > Reporter: Chris Nauroth > Assignee: Chris Nauroth > Attachments: HADOOP-13122.001.patch > > > S3A passes a User-Agent header to the S3 back-end. Right now, it uses the > default value set by the AWS SDK, so Hadoop HTTP traffic doesn't appear any > different from general AWS SDK traffic. If we customize the User-Agent > header, then it will enable better troubleshooting and analysis by AWS or > alternative providers of S3-like services. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org