Bohdan Kazydub created DRILL-6662:
-------------------------------------
Summary: Access AWS access key ID and secret access key using
Credential Provider API for S3 storage plugin
Key: DRILL-6662
URL: https://issues.apache.org/jira/browse/DRILL-6662
Project: Apache Drill
Issue Type: Improvement
Reporter: Bohdan Kazydub
Assignee: Bohdan Kazydub
Hadoop provides [CredentialProvider
API|[https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html]]
which allows passwords and other sensitive secrets to be stored in an external
provider rather than in configuration files in plaintext.
Currently S3 storage plugin is accessing passwords, namely 'fs.s3a.access.key'
and 'fs.s3a.secret.key', stored in clear text in Configuration with get()
method. To give users an ability to remove clear text passwords for S3 from
configuration files Configuration.getPassword() method should be used, given
they configure 'hadoop.security.credential.provider.path' property which points
to a file containing encrypted passwords instead of configuring two
aforementioned properties.
By using this approach, credential providers will be checked first and if the
secret is not provided or providers are not configured there will be a fallback
to secrets configured in clear text (unless
'hadoop.security.credential.clear-text-fallback' is configured to be "false"),
thus making new change backwards-compatible.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
