HADOOP-16568. S3A FullCredentialsTokenBinding fails if local credentials are unset. (#1441)

Contributed by Steve Loughran. Move the loading to deployUnbonded (where they are required) and add a safety check when a new DT is requested
2020-06-03 17:07:00 +01:00 · 2020-06-03 17:07:00 +01:00 · 40d63e02f0
parent 97c98ce531
commit 40d63e02f0
1 changed files with 5 additions and 2 deletions
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
@ -22,6 +22,8 @@ import java.io.IOException;
 import java.net.URI;
 import java.util.Optional;

+import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
 import org.apache.hadoop.fs.s3a.S3AUtils;
@ -73,7 +75,6 @@ public class FullCredentialsTokenBinding extends
  @Override
  protected void serviceStart() throws Exception {
    super.serviceStart();
-    loadAWSCredentials();
  }

  /**
@ -116,6 +117,7 @@ public class FullCredentialsTokenBinding extends
  @Override
  public AWSCredentialProviderList deployUnbonded() throws IOException {
    requireServiceStarted();
+    loadAWSCredentials();
    return new AWSCredentialProviderList(
        "Full Credentials Token Binding",
        new MarshalledCredentialProvider(
@ -142,7 +144,8 @@ public class FullCredentialsTokenBinding extends
      final EncryptionSecrets encryptionSecrets,
      final Text renewer) throws IOException {
    requireServiceStarted();
-
+    Preconditions.checkNotNull(
+        awsCredentials, "No AWS credentials to use for a delegation token");
    return new FullCredentialsTokenIdentifier(getCanonicalUri(),
        getOwnerText(),
        renewer,