You can use a credential provider to save an encrypted AccessKey pair into a file. This prevents the leak of the AccessKey pair.
Background information
E-MapReduce (EMR) V3.30.0 provides a JindoOSS credential provider. You can use a Hadoop credential provider to save an encrypted AccessKey pair into a file. This prevents the issue that the AccessKey pair is transmitted in plaintext. You can select an appropriate JindoOSS credential provider based on your requirements.
Configure a JindoOSS credential provider
- Go to the SmartData service.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
- Click the Cluster Management tab.
- On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
- In the left-side navigation pane, click Cluster Service and then SmartData.
- Go to the smartdata-site tab.
- Click the Configure tab.
- In the Service Configuration section, click the smartdata-site tab.
- Add configuration information.
Use a Hadoop credential provider to store AccessKey pair information
fs.jfs.cache.oss.accessKeyId, fs.jfs.cache.oss.accessKeySecret, and fs.jfs.cache.oss.securityToken can be stored into Hadoop credential providers.
hadoop credential <subcommand> [options]
hadoop credential create fs.jfs.cache.oss.accessKeyId -value AAA -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.accessKeySecret -value BBB -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.securityToken -value CCC -provider jceks://file/root/oss.jceks
Parameter | Description |
---|---|
fs.jfs.cache.oss.security.credential.provider.path | The path used to store the credential file that stores AccessKey pair information.
For example, you can set this parameter to jceks://file/${user.home}/oss.jceks, which indicates that the oss.jceks file is stored in the home directory. |
TemporaryAliyunCredentialsProvider
Parameter | Description |
---|---|
fs.jfs.cache.credentials.provider | com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider |
fs.jfs.cache.oss.accessKeyId | The AccessKey ID used to access OSS. |
fs.jfs.cache.oss.accessKeySecret | The AccessKey secret used to access OSS. |
fs.jfs.cache.oss.securityToken | The temporary security token that is used to access OSS. |
SimpleAliyunCredentialsProvider
Parameter | Description |
---|---|
fs.jfs.cache.credentials.provider | com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider |
fs.jfs.cache.oss.accessKeyId | The AccessKey ID used to access OSS. |
fs.jfs.cache.oss.accessKeySecret | The AccessKey secret used to access OSS. |
EnvironmentVariableCredentialsProvider
Parameter | Description |
---|---|
fs.jfs.cache.credentials.provider | com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider |
ALIYUN_ACCESS_KEY_ID | The AccessKey ID used to access OSS. |
ALIYUN_ACCESS_KEY_SECRET | The AccessKey secret used to access OSS. |
ALIYUN_SECURITY_TOKEN | The temporary security token that is used to access OSS.
Note This parameter is required only when you configure a token that has a validity period.
|
InstanceProfileCredentialsProvider
Parameter | Description |
---|---|
fs.jfs.cache.credentials.provider | com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider |