Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-beta1
    • Fix Version/s: 3.2.0
    • Component/s: fs/s3, security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      The S3A connector no longer supports username and secrets in URLs of the form `s3a://key:secret@bucket/`. It is near-impossible to stop those secrets being logged —which is why a warning has been printed since Hadoop 2.8 whenever such a URL was used.

      Fix: use a more secure mechanism to pass down the secrets.
      Show
      The S3A connector no longer supports username and secrets in URLs of the form ` s3a://key: secret@bucket /`. It is near-impossible to stop those secrets being logged —which is why a warning has been printed since Hadoop 2.8 whenever such a URL was used. Fix: use a more secure mechanism to pass down the secrets.

      Description

      Remove the s3a://user:secret@host auth mechanism from S3a.

      As well as being insecure, it causes problems with S3Guard's URI matching code.

      Proposed: cull it utterly. We've been telling people to stop using it since HADOOP-3733

        Attachments

        1. HADOOP-14833-002.patch
          45 kB
          Steve Loughran
        2. HADOOP-14833-001.patch
          43 kB
          Steve Loughran

          Issue Links

            Activity

              People

              • Assignee:
                stevel@apache.org Steve Loughran
                Reporter:
                stevel@apache.org Steve Loughran
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: