You can use a credential provider to save an encrypted AccessKey pair into a file. This prevents the leak of the AccessKey pair.

Background information

E-MapReduce (EMR) V3.30.0 provides a JindoOSS credential provider. You can use a Hadoop credential provider to save an encrypted AccessKey pair into a file. This prevents the issue that the AccessKey pair is transmitted in plaintext. You can select an appropriate JindoOSS credential provider based on your requirements.

Configure a JindoOSS credential provider

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Go to the smartdata-site tab.
    1. Click the Configure tab.
    2. In the Service Configuration section, click the smartdata-site tab.
  3. Add configuration information.
    1. In the upper-right corner of the smartdata-site tab, click Custom Configuration.
    2. In the Add Configuration Item dialog box, add the parameter described in the following table.
      Parameter Description
      fs.jfs.cache.credentials.provider Specifies implementation classes of com.aliyun.emr.fs.auth.AliyunCredentialsProvider. Separate multiple classes with commas (,). Read credential values in sequence until a valid credential value is found. Example: com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider, com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider,com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.
      You can select different credential providers based on your requirements. The following providers are supported:

Use a Hadoop credential provider to store AccessKey pair information

Note For more information about Hadoop credential providers, see CredentialProvider API Guide.

fs.jfs.cache.oss.accessKeyId, fs.jfs.cache.oss.accessKeySecret, and fs.jfs.cache.oss.securityToken can be stored into Hadoop credential providers.

Use a command that is provided by Hadoop to store AccessKey pair and security token information into a credential file. Sample command:
hadoop credential <subcommand> [options]
For example, store AccessKey pair and token information into a jceks file. jceks indicates a Java keystore provider. You can protect the file by using file permissions or you can specify a key to encrypt the information you want to store. If you do not specify a key, the default string is used for encryption.
hadoop credential create fs.jfs.cache.oss.accessKeyId -value AAA -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.accessKeySecret -value BBB -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.securityToken -value  CCC -provider jceks://file/root/oss.jceks
After a credential file is generated, you must configure the parameter described in the following table to specify the provider type and location.
Parameter Description
fs.jfs.cache.oss.security.credential.provider.path The path used to store the credential file that stores AccessKey pair information.

For example, you can set this parameter to jceks://file/${user.home}/oss.jceks, which indicates that the oss.jceks file is stored in the home directory.

TemporaryAliyunCredentialsProvider

This provider is suitable for scenarios in which AccessKey pair and security token information that has a validity period is used to access OSS.
Parameter Description
fs.jfs.cache.credentials.provider com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider
fs.jfs.cache.oss.accessKeyId The AccessKey ID used to access OSS.
fs.jfs.cache.oss.accessKeySecret The AccessKey secret used to access OSS.
fs.jfs.cache.oss.securityToken The temporary security token that is used to access OSS.

SimpleAliyunCredentialsProvider

This provider is suitable for scenarios in which an AccessKey pair with a long validity period is used to access OSS.
Parameter Description
fs.jfs.cache.credentials.provider com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider
fs.jfs.cache.oss.accessKeyId The AccessKey ID used to access OSS.
fs.jfs.cache.oss.accessKeySecret The AccessKey secret used to access OSS.

EnvironmentVariableCredentialsProvider

To use this provider, you must configure the parameters described in the following table.
Parameter Description
fs.jfs.cache.credentials.provider com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider
ALIYUN_ACCESS_KEY_ID The AccessKey ID used to access OSS.
ALIYUN_ACCESS_KEY_SECRET The AccessKey secret used to access OSS.
ALIYUN_SECURITY_TOKEN The temporary security token that is used to access OSS.
Note This parameter is required only when you configure a token that has a validity period.

InstanceProfileCredentialsProvider

This provider does not require an AccessKey pair. You can access OSS in password-free mode.
Parameter Description
fs.jfs.cache.credentials.provider com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider