HADOOP-16470. Make last AWS credential provider in default auth chain EC2ContainerCredentialsProviderWrapper.

Contributed by Steve Loughran.

Contains HADOOP-16471. Restore (documented) fs.s3a.SharedInstanceProfileCredentialsProvider.

Change-Id: I06b99b57459cac80bf743c5c54f04e59bb54c2f8
This commit is contained in:
Steve Loughran 2019-08-22 17:23:58 +01:00
parent 69ddb36876
commit 61b2df2331
No known key found for this signature in database
GPG Key ID: D22CF846DBB162A0
4 changed files with 68 additions and 18 deletions

View File

@ -1092,8 +1092,8 @@
configuration of AWS access key ID and secret access key in configuration of AWS access key ID and secret access key in
environment variables named AWS_ACCESS_KEY_ID and environment variables named AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY, as documented in the AWS SDK. AWS_SECRET_ACCESS_KEY, as documented in the AWS SDK.
* com.amazonaws.auth.InstanceProfileCredentialsProvider: supports use * org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider: picks up
of instance profile credentials if running in an EC2 VM. IAM credentials of any EC2 VM or AWS container in which the process is running.
</description> </description>
</property> </property>

View File

@ -0,0 +1,44 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.fs.s3a;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider;
import org.apache.hadoop.fs.s3a.auth.NoAwsCredentialsException;
/**
* This credential provider has jittered between existing and non-existing,
* but it turns up in documentation enough that it has been restored.
* It extends {@link IAMInstanceCredentialsProvider} to pick up its
* bindings, which are currently to use the
* {@code EC2ContainerCredentialsProviderWrapper} class for IAM and container
* authentication.
* <p>
* When it fails to authenticate, it raises a
* {@link NoAwsCredentialsException} which can be recognized by retry handlers
* as a non-recoverable failure.
* <p>
* It is implicitly public; marked evolving as we can change its semantics.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public final class SharedInstanceCredentialProvider extends
IAMInstanceCredentialsProvider {
}

View File

@ -24,38 +24,44 @@ import java.io.IOException;
import com.amazonaws.AmazonClientException; import com.amazonaws.AmazonClientException;
import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider; import com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
/** /**
* This is going to be an IAM credential provider which performs * This is an IAM credential provider which wraps
* async refresh for lower-latency on IO calls. * an {@code EC2ContainerCredentialsProviderWrapper}
* Initially it does not do this, simply shares the single IAM instance * to provide credentials when the S3A connector is instantiated on AWS EC2
* across all instances. This makes it less expensive to declare. * or the AWS container services.
* * <p>
* When it fails to authenticate, it raises a
* {@link NoAwsCredentialsException} which can be recognized by retry handlers
* as a non-recoverable failure.
* <p>
* It is implicitly public; marked evolving as we can change its semantics.
*/ */
@InterfaceAudience.Private @InterfaceAudience.Public
@InterfaceStability.Unstable @InterfaceStability.Evolving
public class IAMInstanceCredentialsProvider public class IAMInstanceCredentialsProvider
implements AWSCredentialsProvider, Closeable { implements AWSCredentialsProvider, Closeable {
private static final InstanceProfileCredentialsProvider INSTANCE = private final AWSCredentialsProvider provider =
InstanceProfileCredentialsProvider.getInstance(); new EC2ContainerCredentialsProviderWrapper();
public IAMInstanceCredentialsProvider() { public IAMInstanceCredentialsProvider() {
} }
/** /**
* Ask for the credentials. * Ask for the credentials.
* as it invariably means "you aren't running on EC2" * Failure invariably means "you aren't running in an EC2 VM or AWS container".
* @return the credentials * @return the credentials
* @throws NoAwsCredentialsException on auth failure to indicate non-recoverable.
*/ */
@Override @Override
public AWSCredentials getCredentials() { public AWSCredentials getCredentials() {
try { try {
return INSTANCE.getCredentials(); return provider.getCredentials();
} catch (AmazonClientException e) { } catch (AmazonClientException e) {
throw new NoAwsCredentialsException("IAMInstanceCredentialsProvider", throw new NoAwsCredentialsException("IAMInstanceCredentialsProvider",
e.getMessage(), e.getMessage(),
@ -65,11 +71,11 @@ public class IAMInstanceCredentialsProvider
@Override @Override
public void refresh() { public void refresh() {
INSTANCE.refresh(); provider.refresh();
} }
@Override @Override
public void close() throws IOException { public void close() throws IOException {
// until async, no-op. // no-op.
} }
} }

View File

@ -539,8 +539,8 @@ This means that the default S3A authentication chain can be defined as
configuration of AWS access key ID and secret access key in configuration of AWS access key ID and secret access key in
environment variables named AWS_ACCESS_KEY_ID and environment variables named AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY, as documented in the AWS SDK. AWS_SECRET_ACCESS_KEY, as documented in the AWS SDK.
* com.amazonaws.auth.InstanceProfileCredentialsProvider: supports use * org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider: picks up
of instance profile credentials if running in an EC2 VM. IAM credentials of any EC2 VM or AWS container in which the process is running.
</description> </description>
</property> </property>
``` ```