A credential provider encrypts your AccessKey pair and saves it to a file, preventing the credentials from being transmitted in plaintext. Hardcoded or plaintext credentials in configuration files are a common source of security incidents — they can be accidentally committed to source control, logged to consoles, or exposed in bug reports. JindoOSS supports multiple credential providers so you can choose the authentication method that fits your setup.
JindoOSS credential providers and Hadoop credential providers are two distinct mechanisms. JindoOSS credential providers are implementation classes that determine *how* JindoOSS authenticates to Object Storage Service (OSS). Hadoop credential providers are a separate storage mechanism for saving secrets — such as AccessKey pairs — into an encrypted JCEKS file. You can use both together: select a JindoOSS credential provider type, and optionally store the credentials it needs in a JCEKS file.
Choose a credential provider
JindoOSS supports four credential provider types. Select the one that matches your authentication scenario:
| Scenario | Provider |
|---|---|
| Temporary credentials with a security token | TemporaryAliyunCredentialsProvider |
| Long-lived AccessKey pair | SimpleAliyunCredentialsProvider |
| Credentials in environment variables | EnvironmentVariableCredentialsProvider |
| Password-free access via instance RAM role | InstanceProfileCredentialsProvider |
Configure a JindoOSS credential provider
Configure the credential provider in the SmartData service settings in the EMR console. You can apply the configuration globally (all OSS buckets) or at the bucket level (a specific OSS bucket).
Prerequisites
Before you begin, ensure that you have:
An EMR cluster with SmartData enabled
Access to the Alibaba Cloud EMR console
Configure the provider
Go to the SmartData service configuration.
Log on to the Alibaba Cloud EMR console.
In the top navigation bar, select the region where your cluster resides. Select a resource group if needed. By default, all resources of the account appear.
Click the Cluster Management tab.
Find your cluster and click Details in the Actions column.
In the left-side navigation pane, click Cluster Service > SmartData.
Open the smartdata-site configuration tab.
Click the Configure tab.
In the Service Configuration section, click the smartdata-site tab.
Add the credential provider parameter.
In the upper-right corner of the smartdata-site tab, click Custom Configuration.
In the Add Configuration Item dialog box, add the parameter based on whether you want global or bucket-level configuration:
Global configuration (applies to all OSS buckets):
Parameter Value fs.jfs.cache.oss.credentials.providerThe implementation class of com.aliyun.emr.fs.auth.AliyunCredentialsProvider. To chain multiple providers, separate them with commas. The system reads each provider in order until it finds valid credentials. Example:com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider,com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider,com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProviderBucket-level configuration (applies to a specific OSS bucket):
Parameter Value fs.jfs.cache.oss.bucket.XXX.credentials.providerSame as above. Replace XXXwith the name of the OSS bucket.
Credential provider types
Temporary credentials (TemporaryAliyunCredentialsProvider)
Use this provider when authenticating with a temporary AccessKey pair and security token. Temporary credentials have a validity period, which reduces exposure if credentials are leaked.
Global configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.credentials.provider | com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider |
fs.jfs.cache.oss.accessKeyId | AccessKey ID for accessing OSS |
fs.jfs.cache.oss.accessKeySecret | AccessKey Secret for accessing OSS |
fs.jfs.cache.oss.securityToken | Temporary security token for accessing OSS |
Bucket-level configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.bucket.XXX.credentials.provider | com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider |
fs.jfs.cache.oss.bucket.XXX.accessKeyId | AccessKey ID for accessing the OSS bucket |
fs.jfs.cache.oss.bucket.XXX.accessKeySecret | AccessKey Secret for accessing the OSS bucket |
fs.jfs.cache.oss.bucket.XXX.securityToken | Temporary security token for accessing the OSS bucket |
Long-lived credentials (SimpleAliyunCredentialsProvider)
Use this provider when authenticating with an AccessKey pair that has a long validity period (no security token required).
Global configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.credentials.provider | com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider |
fs.jfs.cache.oss.accessKeyId | AccessKey ID for accessing OSS |
fs.jfs.cache.oss.accessKeySecret | AccessKey Secret for accessing OSS |
Bucket-level configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.bucket.XXX.credentials.provider | com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider |
fs.jfs.cache.oss.bucket.XXX.accessKeyId | AccessKey ID for accessing the OSS bucket |
fs.jfs.cache.oss.bucket.XXX.accessKeySecret | AccessKey Secret for accessing the OSS bucket |
Environment variable credentials (EnvironmentVariableCredentialsProvider)
Use this provider when credentials are stored as environment variables on the cluster nodes.
Global configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.credentials.provider | com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider |
ALIYUN_ACCESS_KEY_ID | AccessKey ID for accessing OSS |
ALIYUN_ACCESS_KEY_SECRET | AccessKey Secret for accessing OSS |
ALIYUN_SECURITY_TOKEN | Temporary security token (required only when using credentials with a validity period) |
Bucket-level configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.bucket.XXX.credentials.provider | com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider |
ALIYUN_ACCESS_KEY_ID | AccessKey ID for accessing the OSS bucket |
ALIYUN_ACCESS_KEY_SECRET | AccessKey Secret for accessing the OSS bucket |
ALIYUN_SECURITY_TOKEN | Temporary security token (required only when using credentials with a validity period) |
Password-free access (InstanceProfileCredentialsProvider)
Use this provider to access OSS in password-free mode. No AccessKey pair is required.
Global configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.credentials.provider | com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider |
Bucket-level configuration parameters:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.bucket.XXX.credentials.provider | com.aliyun.emr.fs.auth.InstanceProfileCredentialsProvider |
Store credentials in an encrypted JCEKS file
Instead of setting credential values directly in the SmartData configuration, you can save them to an encrypted Java KeyStore (JCEKS) file using the Hadoop credential provider. This keeps the actual secret values out of the configuration entirely.
For more information about the Hadoop credential provider API, see the CredentialProvider API Guide.
Step 1: Create the credential file
Run the following hadoop credential create commands to store your AccessKey pair and security token in a JCEKS file. This example uses global configuration with the file stored at /root/oss.jceks:
hadoop credential create fs.jfs.cache.oss.accessKeyId -value AAA -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.accessKeySecret -value BBB -provider jceks://file/root/oss.jceks
hadoop credential create fs.jfs.cache.oss.securityToken -value CCC -provider jceks://file/root/oss.jceksThe JCEKS file is encrypted. To protect it, either restrict access using file permissions or specify a password during creation. If no password is specified, the default encryption string is used.
Command syntax reference:
hadoop credential <subcommand> [options]Step 2: Configure the credential file path
After generating the JCEKS file, add the following parameter to the smartdata-site configuration to tell JindoOSS where to find it:
| Parameter | Description |
|---|---|
fs.jfs.cache.oss.security.credential.provider.path | Path to the JCEKS credential file. Example: jceks://file/${user.home}/oss.jceks stores the file in the home directory. |