Hi, Thanks for sharing your thought. Are there any other thoughts?
Thanks, -- kou In <62c41c00-a5ad-4f1f-942b-54ffaa43b...@python.org> "Re: [DISCUSS][C++] Should we disallow storage account key in Azure file system URL?" on Thu, 12 Sep 2024 10:40:10 +0200, Antoine Pitrou <anto...@python.org> wrote: > > Hi, > > I sympathize with the security argument. If no other library allows > for embedding the Azure password directly in the URL, then I would be > ok for deprecating it. > > Regards > > Antoine. > > > Le 10/09/2024 à 03:24, Sutou Kouhei a écrit : >> Hi, >> The current Azure file system URI accepts account key as >> "password" field: >> https://github.com/apache/arrow/blob/f3dd298bd32f6dc38654680c49b3f1fbf97e3d5f/cpp/src/arrow/filesystem/azurefs.h#L147-L152 >> Should we disallow it? >> (I don't have a strong opinion for this.) >> Related issue: https://github.com/apache/arrow/issues/43197 >> It focus on compatibility with products that support Azure >> Blob File System URL mainly. But it also focus on security. >> Random notes: >> * The account key ("password" field) isn't used in URL of >> real API calls. It's just used to build related objects of >> Azure SDK for C++. >> * The URI specification (RFC 3986) deprecates >> the "user:password" format: >> https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 >> Thanks,