fix: avoid persisting inline OSS credentials in jindofsx

Author: CAICAIIs

pkg/ddc/jindofsx/transform.go

@@ -359,14 +359,8 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 				return
 			}
 			ossBucketName = rm[2]
-			if mount.Options["fs.oss.accessKeyId"] != "" {
-				propertiesFileStore["jindofsx.oss.bucket."+ossBucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
-			}
-			if mount.Options["fs.oss.accessKeySecret"] != "" {
-				propertiesFileStore["jindofsx.oss.bucket."+ossBucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
-			}
 			if mount.Options["fs.oss.endpoint"] == "" {
-				err = fmt.Errorf("oss endpoint can not be null, please check <fs.oss.accessKeySecret> option")
+				err = fmt.Errorf("oss endpoint can not be null, please check <fs.oss.endpoint> option")
 				e.Log.Error(err, "oss endpoint can not be null")
 				return
 			}
@@ -442,10 +436,10 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 					value.BucketSecretPaths[ossBucketName] = secretURI
 
 					itemPath := ""
-					if key == "fs.oss.accessKeyId" {
+					switch key {
+					case "fs.oss.accessKeyId":
 						itemPath = ossBucketName + "/AccessKeyId"
-					}
-					if key == "fs.oss.accessKeySecret" {
+					case "fs.oss.accessKeySecret":
 						itemPath = ossBucketName + "/AccessKeySecret"
 					}
 					if itemPath != "" {
@@ -460,7 +454,7 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 
 				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 				if err != nil {
-					e.Log.Info("can't get the input secret from dataset", secretKeyRef.Name)
+					e.Log.Error(err, "can't get the input secret from dataset", "secretName", secretKeyRef.Name)
 					break
 				}
 				secretValue := string(secret.Data[secretKeyRef.Key])

pkg/ddc/jindofsx/transform_master_test.go

@@ -239,3 +239,53 @@ func TestJindoFSxEngine_transformMasterWithMultipleOSSEncryptOptions(t *testing.
 		t.Fatalf("expected bucket-b fuse credentials provider %q, got %q", jindoOSSCredentialsProvider, got)
 	}
 }
+
+func TestJindoFSxEngine_transformMasterDoesNotPersistInlineOSSCredentials(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoFSxEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint":        "oss-cn-shanghai.aliyuncs.com",
+					"fs.oss.accessKeyId":     "inline-ak",
+					"fs.oss.accessKeySecret": "inline-sk",
+				},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if got := value.Master.FileStoreProperties["jindofsx.oss.bucket.bucket-a.endpoint"]; got != "oss-cn-shanghai.aliyuncs.com" {
+		t.Fatalf("expected bucket-a endpoint to be preserved, got %q", got)
+	}
+	if _, ok := value.Master.FileStoreProperties["jindofsx.oss.bucket.bucket-a.accessKeyId"]; ok {
+		t.Fatalf("expected inline bucket-a accessKeyId to stay out of fileStoreProperties")
+	}
+	if _, ok := value.Master.FileStoreProperties["jindofsx.oss.bucket.bucket-a.accessKeySecret"]; ok {
+		t.Fatalf("expected inline bucket-a accessKeySecret to stay out of fileStoreProperties")
+	}
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for inline credentials, got %d", len(value.SecretProjections))
+	}
+}