[
https://issues.apache.org/jira/browse/HADOOP-13252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15322385#comment-15322385
]
Larry McCay commented on HADOOP-13252:
--------------------------------------
[[email protected]] - by auth mechanisms, it seems that you mean mechanisms
for looking up credentials for auth. Correct? I'd just like to point out that
indicating "none" is leaking a secret - whether this be done explicitly or
implicitly.
We may want to leave this to indicating whether hadoop config of the
credentials or a credential provider is being used. Not the level of detail
that you are looking for but it would at least point someone with proper
permissions to read the config to the right place.
> add logging of what's going on in s3 auth to help debug problems
> ----------------------------------------------------------------
>
> Key: HADOOP-13252
> URL: https://issues.apache.org/jira/browse/HADOOP-13252
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 2.8.0
> Reporter: Steve Loughran
> Priority: Minor
>
> We've now got some fairly complex auth mechanisms going on: -hadoop config,
> KMS, env vars, "none". IF something isn't working, it's going to be a lot
> harder to debug.
> I propose *carefully* adding some debug messages to identify which auth
> provider is doing the auth, so we can see if the env vars were kicking in,
> sysprops, etc.
> What we mustn't do is leak any secrets: this should be identifying whether
> properties and env vars are set, not what their values are. I don't believe
> that this will generate a security risk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
