Hi,
I sympathize with the security argument. If no other library allows for
embedding the Azure password directly in the URL, then I would be ok for
deprecating it.
Regards
Antoine.
Le 10/09/2024 à 03:24, Sutou Kouhei a écrit :
Hi,
The current Azure file system URI accepts account key as
"password" field:
https://github.com/apache/arrow/blob/f3dd298bd32f6dc38654680c49b3f1fbf97e3d5f/cpp/src/arrow/filesystem/azurefs.h#L147-L152
Should we disallow it?
(I don't have a strong opinion for this.)
Related issue: https://github.com/apache/arrow/issues/43197
It focus on compatibility with products that support Azure
Blob File System URL mainly. But it also focus on security.
Random notes:
* The account key ("password" field) isn't used in URL of
real API calls. It's just used to build related objects of
Azure SDK for C++.
* The URI specification (RFC 3986) deprecates
the "user:password" format:
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1
Thanks,
