SmartData 3.4.0 and later support JindoFS OSS credential providers. You can use a JindoFS OSS credential provider to save an encrypted AccessKey pair in a file. This prevents the AccessKey pair from being leaked.

Limits

JindoRangerCredentialsProvider and AssumeRoleStsCredentialsProvider are available only in SmartData 3.8.0 and later.

Configure a JindoFS OSS credential provider

  1. Go to the SmartData service page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane of the page that appears, choose Cluster Service > SmartData.
    6. Click the Configure tab.
  2. Add or modify configurations based on the configuration method.
    Configuration method Description
    Global configuration (for all buckets) In the Configuration Filter section, search for the fs.jfs.cache.oss.credentials.provider parameter and append the required implementation class of AliyunCredentialsProvider to the end of the parameter value. If you want to add multiple classes, separate them with commas (,). The system reads credential values in sequence until a valid credential value is found. For more information about the configuration of this parameter, see Global configuration.

    Example: com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider, com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider, com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.

    Bucket-level configuration Perform the following steps to add configurations:
    1. In the upper-right corner of the smartdata-site tab, click Custom Configuration.
      Notice If you use JindoRangerCredentialsProvider, you must add configurations on the namespace tab.
    2. In the Add Configuration Item dialog box, set Key to fs.jfs.cache.oss.bucket.XXX.credentials.provider and Value to the required implementation class of com.aliyun.emr.fs.auth.AliyunCredentialsProvider. If you want to add multiple classes, separate them with commas (,). The system reads credential values in sequence until a valid credential value is found. For more information about the configuration of this parameter, see Bucket-level configuration.

      Example: com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider, com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider, com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.

      Note XXX in fs.jfs.cache.oss.bucket.XXX.credentials.provider indicates the name of an OSS bucket.
    3. Click OK.
  3. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.

Global configuration

You can configure different credential providers based on your business requirements. The following table describes the supported credential providers.

Type Description
TemporaryAliyunCredentialsProvider This credential provider is suitable for scenarios in which an AccessKey pair with a validity period and a security token with a validity period are used to access OSS.
To use this credential provider, you must append com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter and add the following configuration items on the smartdata-site tab:
  • fs.jfs.cache.oss.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • fs.jfs.cache.oss.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
  • fs.jfs.cache.oss.securityToken: the temporary security token that is used to access your OSS bucket.
SimpleAliyunCredentialsProvider This credential provider is suitable for scenarios in which an AccessKey pair with a long validity period is used to access OSS.
To use this credential provider, you must append com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter and add the following configuration items on the smartdata-site tab:
  • fs.jfs.cache.oss.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • fs.jfs.cache.oss.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
EnvironmentVariableCredentialsProvider To use this credential provider, you must configure the following parameters in the environment variable file:
  • fs.jfs.cache.oss.credentials.provider: Set this parameter to com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.
  • ALIYUN_ACCESS_KEY_ID: the AccessKey ID that is used to access your OSS bucket.
  • ALIYUN_ACCESS_KEY_SECRET: the AccessKey secret that is used to access your OSS bucket.
  • ALIYUN_SECURITY_TOKEN: the temporary security token that is used to access your OSS bucket.
    Note This parameter is required only if you configure a token that has a validity period.
JindoCommonCredentialsProvider This is a common credential provider. After you configure the required parameters, you can use this credential provider in JindoOSS and JindoFS.
To use this credential provider, you must append com.aliyun.emr.fs.auth.JindoCommonCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter and add the following configuration items on the smartdata-site tab:
  • jindo.common.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • jindo.common.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
  • jindo.common.securityToken: the temporary security token that is used to access your OSS bucket.
EcsStsCredentialsProvider This credential provider does not require an AccessKey pair. You can access OSS in password-free mode.

To use this credential provider, you must append com.aliyun.emr.fs.auth.EcsStsCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter.

JindoRangerCredentialsProvider This credential provider is suitable for scenarios in which you configure parameters in Ranger to control access to OSS.

To use this credential provider, you must append com.aliyun.emr.fs.auth.JindoRangerCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter and add a custom parameter whose name is namespace.oss.permission.method and value is ranger on the namespace tab.

Note You must restart Jindo Namespace Service after you add the custom parameter. For more information, see Restart Jindo Namespace Service.
AssumeRoleStsCredentialsProvider This credential provider is suitable for scenarios in which a temporary AccessKey pair that assumes a RAM role is obtained to access OSS.
To use this credential provider, you must append com.aliyun.emr.fs.auth.AssumeRoleStsCredentialsProvider to the value of the fs.jfs.cache.oss.credentials.provider parameter and add the following configuration items on the smartdata-site tab:
  • assume.role.sts.accessKeyId: the AccessKey ID that is obtained from Security Token Service (STS).
  • assume.role.sts.accessKeySecret: the AccessKey secret that is obtained from STS.
  • assume.role.sts.endpoint: the endpoint of STS. For more information, see Endpoints.
  • assume.role.roleArn: the Alibaba Cloud Resource Name (ARN) of the RAM role. The ARN is specified in the format of acs:ram::$accountID:role/$roleName. For information about how to view an ARN, see How do I view the ARN of a RAM role?.
  • assume.role.roleSessionName: the name of the role session. This is a custom configuration item. You can set this configuration item based on your requirements. For example, you can set this configuration item to a username.

Bucket-level configuration

You can configure different credential providers based on your business requirements. The following table describes the supported credential providers.

Type Description
TemporaryAliyunCredentialsProvider This credential provider is suitable for scenarios in which an AccessKey pair with a validity period and a security token with a validity period are used to access OSS.
To use this credential provider, you must set the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter to com.aliyun.emr.fs.auth.TemporaryAliyunCredentialsProvider and add the following configuration items on the smartdata-site tab:
  • fs.jfs.cache.oss.bucket.XXX.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • fs.jfs.cache.oss.bucket.XXX.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
  • fs.jfs.cache.oss.bucket.XXX.securityToken: the temporary security token that is used to access your OSS bucket.
SimpleAliyunCredentialsProvider This credential provider is suitable for scenarios in which an AccessKey pair with a long validity period is used to access OSS.
To use this credential provider, you must set the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter to com.aliyun.emr.fs.auth.SimpleAliyunCredentialsProvider and add the following configuration items on the smartdata-site tab:
  • fs.jfs.cache.oss.bucket.XXX.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • fs.jfs.cache.oss.bucket.XXX.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
EnvironmentVariableCredentialsProvider To use this credential provider, you must configure the following parameters in the environment variable file:
  • fs.jfs.cache.oss.bucket.XXX.credentials.provider: Set this parameter to com.aliyun.emr.fs.auth.EnvironmentVariableCredentialsProvider.
  • ALIYUN_ACCESS_KEY_ID: the AccessKey ID that is used to access your OSS bucket.
  • ALIYUN_ACCESS_KEY_SECRET: the AccessKey secret that is used to access your OSS bucket.
  • ALIYUN_SECURITY_TOKEN: the temporary security token that is used to access your OSS bucket.
    Note This parameter is required only if you configure a token that has a validity period.
JindoCommonCredentialsProvider This is a common credential provider. After you configure the required parameters, you can use this credential provider in JindoOSS and JindoFS.
To use this credential provider, you must set the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter to com.aliyun.emr.fs.auth.JindoCommonCredentialsProvider and add the following configuration items on the smartdata-site tab:
  • jindo.common.accessKeyId: the AccessKey ID that is used to access your OSS bucket.
  • jindo.common.accessKeySecret: the AccessKey secret that is used to access your OSS bucket.
  • jindo.common.securityToken: the temporary security token that is used to access your OSS bucket.
EcsStsCredentialsProvider This credential provider does not require an AccessKey pair. You can access OSS in password-free mode.

To use this credential provider, you must set the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter to com.aliyun.emr.fs.auth.EcsStsCredentialsProvider.

JindoRangerCredentialsProvider This credential provider is suitable for scenarios in which you configure parameters in Ranger to control access to OSS.

To use this credential provider, you must append com.aliyun.emr.fs.auth.JindoRangerCredentialsProvider to the value of the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter and add a custom parameter whose name is namespace.oss.permission.method and value is ranger on the namespace tab.

Note You must restart Jindo Namespace Service after you add the custom parameter. For more information, see Restart Jindo Namespace Service.
AssumeRoleStsCredentialsProvider This credential provider is suitable for scenarios in which a temporary AccessKey pair that assumes a RAM role is obtained to access OSS.
To use this credential provider, you must append com.aliyun.emr.fs.auth.AssumeRoleStsCredentialsProvider to the value of the fs.jfs.cache.oss.bucket.XXX.credentials.provider parameter and add the following configuration items on the smartdata-site tab:
  • assume.role.sts.accessKeyId: the AccessKey ID that is obtained from STS.
  • assume.role.sts.accessKeySecret: the AccessKey secret that is obtained from STS.
  • assume.role.sts.endpoint: the endpoint of STS. For more information, see Endpoints.
  • assume.role.roleArn: the ARN of the RAM role. The ARN is specified in the format of acs:ram::$accountID:role/$roleName. For information about how to view an ARN, see How do I view the ARN of a RAM role?.
  • assume.role.roleSessionName: the name of the role session. This is a custom configuration item. You can set this configuration item based on your requirements. For example, you can set this configuration item to a username.

Restart Jindo Namespace Service

If you use JindoRangerCredentialsProvider, you must restart Jindo Namespace Service after you add the required configuration items.

  1. In the upper-right corner of the Configure tab on the SmartData service page, choose Actions > Restart Jindo Namespace Service.
  2. In the Cluster Activities dialog box, specify Description and click OK.
  3. In the Confirm message, click OK.