Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HADOOP-19384. S3A: Add support for ProfileCredentialsProvider #7284

Open
wants to merge 6 commits into
base: trunk
Choose a base branch
from
+143 −1
Open

HADOOP-19384. S3A: Add support for ProfileCredentialsProvider #7284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cee3b68
HADOOP-19384: Add support for ProfileCredentialsProvider
Dec 5, 2024
303f92c
Fix imports in CredentialProviderListFactory
Jan 9, 2025
4f98399
Add ProfileAWSCredentialsProvider test
Feb 5, 2025
05b5295
Remove typo from core-default.xml
Feb 5, 2025
e62e1b9
Remove ProfileAWSCredentialsProvider from STANDARD_AWS_PROVIDERS
Feb 7, 2025
4da825c
Address review comments
Feb 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1442,6 +1442,7 @@
token binding it may be used
to communicate wih the STS endpoint to request session/role
credentials.
org.apache.hadoop.fs.s3a.auth.ProfileAWSCredentialsProvider is also supported, but is not enabled by default.
</description>
</property>

Expand Down
109 changes: 109 additions & 0 deletions ...hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/ProfileAWSCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.apache.hadoop.fs.s3a.auth;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need the license...just copy from another class


import java.net.URI;
import java.nio.file.FileSystems;
import java.nio.file.Path;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

import ordering (should be)

java.

javax.

non-apache-stuff.

org.apache.

static everything
---

it's close but a bit mixed up...please fix

import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.profiles.ProfileFile;

import org.apache.commons.lang3.SystemUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;

@InterfaceAudience.Public
@InterfaceStability.Evolving
public class ProfileAWSCredentialsProvider extends AbstractAWSCredentialProvider {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should be logging at debug when the env vars are being used? Nothing secret will be logged and it could be useful.

private static final Logger LOG = LoggerFactory.getLogger(ProfileAWSCredentialsProvider.class);

public static final String NAME
= "org.apache.hadoop.fs.s3a.auth.ProfileAWSCredentialsProvider";

/** Conf setting for credentials file path*/
public static final String PROFILE_FILE = "fs.s3a.auth.profile.file";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add javadocs for these and the field at L25


/** Conf setting for profile name*/
public static final String PROFILE_NAME = "fs.s3a.auth.profile.name";

/** Environment variable for credentials file path*/
public static final String CREDENTIALS_FILE_ENV = "AWS_SHARED_CREDENTIALS_FILE";
/** Environment variable for profile name*/
public static final String PROFILE_ENV = "AWS_PROFILE";

private final ProfileCredentialsProvider pcp;

private static Path getCredentialsPath(Configuration conf) {
String credentialsFile = conf.get(PROFILE_FILE, null);
if (credentialsFile == null) {
credentialsFile = SystemUtils.getEnvironmentVariable(CREDENTIALS_FILE_ENV, null);
if (credentialsFile != null) {
LOG.info("Fetched credentials file path from environment variable");
}
}
else {
LOG.info("Fetched credentials file path from conf");
}
if (credentialsFile == null) {
LOG.info("Using default credentials file path");
return FileSystems.getDefault().getPath(SystemUtils.getUserHome().getPath(),".aws", "credentials");
}
else {
return FileSystems.getDefault().getPath(credentialsFile);
}
}

private static String getCredentialsName(Configuration conf) {
String profileName = conf.get(PROFILE_NAME, null);
if (profileName == null) {
profileName = SystemUtils.getEnvironmentVariable(PROFILE_ENV, null);
if (profileName == null) {
profileName = "default";
LOG.info("Using default profile name");
}
else {
LOG.info("Fetched profile name from environment variable");
}
}
else {
LOG.info("Fetched profile name from conf");
}
return profileName;
}

public ProfileAWSCredentialsProvider(URI uri, Configuration conf) {
super(uri, conf);
ProfileCredentialsProvider.Builder builder = ProfileCredentialsProvider.builder();
builder.profileName(getCredentialsName(conf))
.profileFile(ProfileFile.builder()
.content(getCredentialsPath(conf))
.type(ProfileFile.Type.CREDENTIALS)
.build());
pcp = builder.build();
}

public AwsCredentials resolveCredentials() {
return pcp.resolveCredentials();
}
}
34 changes: 33 additions & 1 deletion ...ools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/TestS3AAWSCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,11 @@

package org.apache.hadoop.fs.s3a;

import java.io.IOException;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.InterruptedIOException;
import java.io.IOException;
import java.net.URI;
import java.nio.file.AccessDeniedException;
import java.util.ArrayList;
Expand Down Expand Up @@ -52,6 +55,7 @@
import org.apache.hadoop.fs.s3a.auth.CredentialProviderListFactory;
import org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider;
import org.apache.hadoop.fs.s3a.auth.NoAuthWithAWSException;
import org.apache.hadoop.fs.s3a.auth.ProfileAWSCredentialsProvider;
import org.apache.hadoop.fs.s3a.auth.delegation.CountInvocationsProvider;
import org.apache.hadoop.fs.s3a.impl.InstantiationIOException;
import org.apache.hadoop.fs.s3a.test.PublicDatasetTestUtils;
Expand Down Expand Up @@ -139,6 +143,34 @@ public void testInstantiationChain() throws Throwable {
assertCredentialProviders(expectedClasses, list);
}

@Test
public void testProfileAWSCredentialsProvider() throws Throwable {
Configuration conf = new Configuration(false);
conf.set(AWS_CREDENTIALS_PROVIDER, ProfileAWSCredentialsProvider.NAME);
File tempFile = File.createTempFile("testcred", ".conf", new File("target"));
tempFile.deleteOnExit();
try (FileWriter fileWriter = new FileWriter(tempFile); BufferedWriter bufferedWriter = new BufferedWriter(fileWriter)) {
bufferedWriter.write("[default]\n"
+ "aws_access_key_id = defaultaccesskeyid\n"
+ "aws_secret_access_key = defaultsecretkeyid\n");
bufferedWriter.write("[nondefault]\n"
+ "aws_access_key_id = nondefaultaccesskeyid\n"
+ "aws_secret_access_key = nondefaultsecretkeyid\n");
}
conf.set(ProfileAWSCredentialsProvider.PROFILE_FILE, tempFile.getAbsolutePath());
URI testUri = new URI("s3a://bucket1");
AWSCredentialProviderList list = createAWSCredentialProviderList(testUri, conf);
assertCredentialProviders(Collections.singletonList(ProfileAWSCredentialsProvider.class), list);
AwsCredentials credentials = list.resolveCredentials();
Assertions.assertThat(credentials.accessKeyId()).isEqualTo("defaultaccesskeyid");
Assertions.assertThat(credentials.secretAccessKey()).isEqualTo("defaultsecretkeyid");
conf.set(ProfileAWSCredentialsProvider.PROFILE_NAME, "nondefault");
list = createAWSCredentialProviderList(testUri, conf);
credentials = list.resolveCredentials();
Assertions.assertThat(credentials.accessKeyId()).isEqualTo("nondefaultaccesskeyid");
Assertions.assertThat(credentials.secretAccessKey()).isEqualTo("nondefaultsecretkeyid");
}

@Test
public void testDefaultChain() throws Exception {
URI uri1 = new URI("s3a://bucket1"), uri2 = new URI("s3a://bucket2");
Expand Down