-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding CredentialsProvider, deprecating PasswordProvider #9351
Comments
|
@maytasm3 thank you for taking a look.
I think the use cases of
I think this would be pretty rare, but it's still possible with a custom credential provider. |
@jihoonson Just to clarify, would this be impacting existing usages of getPassword() in any way? I would expect the only change would be |
Hi @a2l007, I think the internal usage would be pretty much same. But, the user-facing configurations would change which I expect to achieve in this proposal. For example, let say we changed public class AWSCredentialsConfig
{
@JsonProperty
@Deprecated
private PasswordProvider accessKey = new DefaultPasswordProvider("");
@JsonProperty
@Deprecated
private PasswordProvider secretKey = new DefaultPasswordProvider("");
@JsonProperty
private CredentialsProvider credentials = new DefaultCredentialsProvider();
...
} Then, the s3 credentials configurations would be changed from
@JsonCreator
public HttpInputSource(
@JsonProperty("uris") List<URI> uris,
@JsonProperty("httpAuthenticationUsername") @Deprecated @Nullable String httpAuthenticationUsername,
@JsonProperty("httpAuthenticationPassword") @Deprecated @Nullable PasswordProvider httpAuthenticationPasswordProvider,
@JsonProperty("httpAuthentication") @Nullable CredentialsProvider httpAuthentication
) The new "inputSource": {
"type": "http",
"uris": ["http://example.com/uri1", "http://example2.com/uri2"],
"httpAuthenticationUsername": "username",
"httpAuthenticationPassword": {
"type": "environment",
"variable": "MY_PASSWORD_VAR"
}
} to "inputSource": {
"type": "http",
"uris": ["http://example.com/uri1", "http://example2.com/uri2"],
"httpAuthentication": {
"type": "environment",
"userNameVariable": "MY_USER_NAME_VAR",
"passwordVariable": "MY_PASSWORD_VAR"
}
} |
@jihoonson Thanks for the clarification. SGTM |
@a2l007 thank you for taking a look! |
coming back to peek into Druid PRs after a while and noticed this. Just wanted to let you know of #6666 which proposes something related for other reasons and it would be good to have that in mind as well. Also, wouldn't
be more generic then which can handle more than two logically related secrets.
For DB , In all the places I used druid, username was never a secret . Also I see some passwords in https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html which don't necessarily need an "account". I am not saying that we need to keep |
@himanshug thank you for bring up #6666. That's a really good point.
Hmm, should one
Good point. I think these are pretty rare cases and still can be handled by the |
For example, https://github.com/apache/druid/blob/master/extensions-core/simple-client-sslcontext/src/main/java/org/apache/druid/https/SSLClientConfig.java has three secrets which could be logically related
as you wanna get a snapshot of secrets in single call , if the code needs to make two/multiple calls to hopefully it made sense or I need to be more descriptive :) |
@himanshug makes sense. I updated the proposal. Thanks for comments! |
@jihoonson Hi! I want to know is there any plan to deprecate PasswordProvider. I see it marked as deprecate in code, but only few classes use DynamicConfigProvider which claimed to replace PasswordProvider. I think DynamicConfigProvider not very convenience in some places. For example, when user use config with single String like |
Hi @bananaaggle, I just left some comments on the PR.
I still think we should deprecate
, but construct a |
Hi @jihoonson! I make some attempts to adapt some classes to DynamicConfigProvider in #11389. I think we can provide DynamicConfigProvider for users in config, and users should know which key needed in a map. For example, if users want to add
When we deprecate |
Motivation
We are using
PasswordProvider
to secure user passwords in various places. However, it doesn't secure the user name (or account whatever).Proposed changes
This proposal is to add a new class
CredentialsProvider
. Similar toPasswordProvider
, theCredentialsProvider
provides various ways to get the user credential, but both user name and password.Rationale
Since the
PasswordProvider
has one method ofgetPassword()
, we are already using two differentPasswordProvider
s to secure both user name and password in some places.AWSCredentialsConfig
is an example:This is not good for user experience because they generally prefer to secure their account and password in the same way.
Operational impact
The
PasswordProvider
will be deprecated in favor of the newCredentialsProvider
. This would deprecate some configurations as well, but they will be still supported in a couple of next releases.The text was updated successfully, but these errors were encountered: