You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/09/12 13:11:00 UTC
[jira] [Commented] (HADOOP-16806) AWS AssumedRoleCredentialProvider needs ExternalId add
[ https://issues.apache.org/jira/browse/HADOOP-16806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17603077#comment-17603077 ]
ASF GitHub Bot commented on HADOOP-16806:
-----------------------------------------
jmahonin commented on PR #4753:
URL: https://github.com/apache/hadoop/pull/4753#issuecomment-1243718041
Is there anything left to do on this PR @steveloughran ?
> AWS AssumedRoleCredentialProvider needs ExternalId add
> ------------------------------------------------------
>
> Key: HADOOP-16806
> URL: https://issues.apache.org/jira/browse/HADOOP-16806
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.2.1
> Reporter: Jon Hartlaub
> Priority: Minor
> Labels: pull-request-available
>
> AWS has added a security feature to the assume-role function in the form of the "ExternalId" key in the AWS Java SDK {{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a patch to include this value from the configuration as well as an added Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file.
> The ExternalId is not a required security feature, it is an augmentation of the current assume role configuration.
> Proposed:
> * Get the assume-role ExternalId token from the configuration for the configuration key {{fs.s3a.assumed.role.externalid}}
> * Use the configured ExternalId value in the {{STSAssumeRoleSessionCredentialsProvider.Builder}}
> e.g.
> {{if (StringUtils.isNotEmpty(externalId)) {}}
> {{ builder.withExternalId(externalId); // include the token for cross-account assume role}}
> {{}}}
> Tests:
> * +Unit test+ which verifies the ExternalId state value of the {{AssumedRoleCredentialProvider}} is consistent with the configured value - either empty or populated
> * Question: not sure about how to write the +integration test+ for this feature. We have an account configured for this use-case that verifies this feature but I don't have much context on the Hadoop project AWS S3 integration tests, perhaps a pointer could help.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org