You can use a credential provider to save an encrypted AccessKey pair into a file. This prevents the leak of the AccessKey pair.

Background information

You can use a Hadoop credential provider to save an encrypted AccessKey pair into a file. This prevents the issue that the AccessKey pair is transmitted in plaintext. You can select an appropriate JindoOSS credential provider based on your business requirements.

Configure a JindoOSS credential provider

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Go to the smartdata-site tab.
    1. Click the Configure tab.
    2. In the Service Configuration section, click the smartdata-site tab.
  3. Add configuration information.
    1. In the upper-right corner of the smartdata-site tab, click Custom Configuration.
    2. In the Add Configuration Item dialog box, add the parameter described in the following table.
      • Global configuration (for all buckets)
        Parameter Description
        fs.jfs.cache.oss.credentials.provider Specifies the implementation classes of com.aliyun.emr.fs.auth.AliyunCredentialsProvider. Separate multiple classes with commas (,). The system reads credential values in sequence until a valid credential value is found. Example: com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider,com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider,com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.

        For more information about credential providers, see Credential provider types.

      • Bucket-level configuration
        Parameter Description
        fs.jfs.cache.oss.bucket.XXX.credentials.provider Specifies the implementation classes of com.aliyun.emr.fs.auth.AliyunCredentialsProvider. Separate multiple classes with commas (,). The system reads credential values in sequence until a valid credential value is found. Example: com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider,com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider,com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.
        For more information about credential providers, see Credential provider types.
        Note XXX indicates the name of an Object Storage Service (OSS) bucket.

Credential provider types

You can select different credential providers based on your business requirements. The following providers are supported:
  • Global configuration
    • TemporaryAliyunCredentialsProvider
      This provider is suitable for scenarios in which an AccessKey pair and a security token that have a validity period are used to access OSS.
      Parameter Description
      fs.jfs.cache.oss.credentials.provider com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider
      fs.jfs.cache.oss.accessKeyId The AccessKey ID used to access OSS.
      fs.jfs.cache.oss.accessKeySecret The AccessKey secret used to access OSS.
      fs.jfs.cache.oss.securityToken The temporary security token used to access OSS.
    • SimpleAliyunCredentialsProvider
      This provider is suitable for scenarios in which an AccessKey pair with a long validity period is used to access OSS.
      Parameter Description
      fs.jfs.cache.oss.credentials.provider com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider
      fs.jfs.cache.oss.accessKeyId The AccessKey ID used to access OSS.
      fs.jfs.cache.oss.accessKeySecret The AccessKey secret used to access OSS.
    • EnvironmentVariableCredentialsProvider
      To use this provider, you must configure the parameters described in the following table.
      Parameter Description
      fs.jfs.cache.oss.credentials.provider com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider
      ALIYUN_ACCESS_KEY_ID The AccessKey ID used to access OSS.
      ALIYUN_ACCESS_KEY_SECRET The AccessKey secret used to access OSS.
      ALIYUN_SECURITY_TOKEN The temporary security token used to access OSS.
      Note This parameter is required only when you configure a token that has a validity period.
    • InstanceProfileCredentialsProvider
      This provider does not require an AccessKey pair. You can access OSS in password-free mode.
      Parameter Description
      fs.jfs.cache.oss.credentials.provider com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider
  • Bucket-level configuration
    • TemporaryAliyunCredentialsProvider
      This provider is suitable for scenarios in which an AccessKey pair and a security token that have a validity period are used to access OSS.
      Parameter Description
      fs.jfs.cache.oss.bucket.XXX.credentials.provider com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider
      fs.jfs.cache.oss.bucket.XXX.accessKeyId The AccessKey ID used to access an OSS bucket.
      fs.jfs.cache.oss.bucket.XXX.accessKeySecret The AccessKey secret used to access the OSS bucket.
      fs.jfs.cache.oss.bucket.XXX.securityToken The temporary security token used to access the OSS bucket.
    • SimpleAliyunCredentialsProvider
      This provider is suitable for scenarios in which an AccessKey pair with a long validity period is used to access OSS.
      Parameter Description
      fs.jfs.cache.oss.bucket.XXX.credentials.provider com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider
      fs.jfs.cache.oss.bucket.XXX.accessKeyId The AccessKey ID used to access an OSS bucket.
      fs.jfs.cache.oss.bucket.XXX.accessKeySecret The AccessKey secret used to access the OSS bucket.
    • EnvironmentVariableCredentialsProvider
      To use this provider, you must configure the parameters described in the following table.
      Parameter Description
      fs.jfs.cache.oss.bucket.XXX.credentials.provider com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider
      ALIYUN_ACCESS_KEY_ID The AccessKey ID used to access an OSS bucket.
      ALIYUN_ACCESS_KEY_SECRET The AccessKey secret used to access the OSS bucket.
      ALIYUN_SECURITY_TOKEN The temporary security token used to access the OSS bucket.
      Note This parameter is required only when you configure a token that has a validity period.
    • InstanceProfileCredentialsProvider
      This provider does not require an AccessKey pair. You can access OSS in password-free mode.
      Parameter Description
      fs.jfs.cache.oss.bucket.XXX.credentials.provider com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider

Use a Hadoop credential provider to store AccessKey pair information

Note For more information about Hadoop credential providers, see CredentialProvider API Guide.
Use a command that is provided by Hadoop to store AccessKey pair and security token information into a credential file. Syntax:
hadoop credential <subcommand> [options]
For example, in global configuration mode, store AccessKey pair and token information into a JCEKS file. You can protect the file by using file permissions or you can specify a password to encrypt the information you want to store. If you do not specify a password, the default string is used for encryption.
hadoop credential create fs.jfs.cache.oss.accessKeyId -value AAA -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.accessKeySecret -value BBB -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.securityToken -value  CCC -provider jceks://file/root/oss.jceks
After a credential file is generated, you must configure the parameter described in the following table to specify the provider type and location.
Parameter Description
fs.jfs.cache.oss.security.credential.provider.path The path used to store the credential file that stores AccessKey pair information.

For example, you can set this parameter to jceks://file/${user.home}/oss.jceks, which indicates that the oss.jceks file is stored in the home directory.