fix: avoid persisting inline OSS credentials in jindocache

Author: CAICAIIs

pkg/ddc/jindocache/transform.go

@@ -465,12 +465,6 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 				return err
 			}
 			propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".endpoint"] = mount.Options["fs.oss.endpoint"]
-			if mount.Options["fs.oss.accessKeyId"] != "" {
-				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
-			}
-			if mount.Options["fs.oss.accessKeySecret"] != "" {
-				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
-			}
 			if strings.Contains(mount.Options["fs.oss.endpoint"], "dls") {
 				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".data.lake.storage.enable"] = "true"
 			}

pkg/ddc/jindocache/transform_test.go

@@ -1752,6 +1752,56 @@ func TestJindoCacheEngine_transformMasterWithMultipleOSSEncryptOptions(t *testin
 	}
 }
 
+func TestJindoCacheEngine_transformMasterDoesNotPersistInlineOSSCredentials(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoCacheEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint":        "oss-cn-shanghai.aliyuncs.com",
+					"fs.oss.accessKeyId":     "inline-ak",
+					"fs.oss.accessKeySecret": "inline-sk",
+				},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if got := value.Master.FileStoreProperties["jindocache.oss.bucket.bucket-a.endpoint"]; got != "oss-cn-shanghai.aliyuncs.com" {
+		t.Fatalf("expected bucket-a endpoint to be preserved, got %q", got)
+	}
+	if _, ok := value.Master.FileStoreProperties["jindocache.oss.bucket.bucket-a.accessKeyId"]; ok {
+		t.Fatalf("expected inline bucket-a accessKeyId to stay out of fileStoreProperties")
+	}
+	if _, ok := value.Master.FileStoreProperties["jindocache.oss.bucket.bucket-a.accessKeySecret"]; ok {
+		t.Fatalf("expected inline bucket-a accessKeySecret to stay out of fileStoreProperties")
+	}
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for inline credentials, got %d", len(value.SecretProjections))
+	}
+}
+
 func TestJindoEngine_transformMountpoint(t *testing.T) {
 	jindocacheSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{