You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/02/01 03:03:03 UTC
[GitHub] [pulsar] addisonj opened a new pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
addisonj opened a new pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387
### Motivation
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.
This is a problem in AWS, where it is commonplace to use credentials
that expire.
### Modifications
The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.
Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.
### Verifying this change
This also adds a test to ensure this isn't broken in the future, it does a simple validation to ensure that the underlying credentials can change via AWS SystemPropertyCredentialProvider
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): n
- The public API: n
- The schema: n
- The default values of configurations: n
- The wire protocol: n
- The rest endpoints: n
- The admin cli options: n
- Anything that affects deployment: n
### Documentation
- Does this pull request introduce a new feature? n
- If yes, how is the feature documented? N/A
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie merged pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
sijie merged pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
jiazhai commented on pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#issuecomment-770551406
@addisonj There is PR #9376 fix some flaky test, it would be good to rebase this branch with the latest master.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Renkai commented on a change in pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
Renkai commented on a change in pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#discussion_r567549282
##########
File path: tiered-storage/jcloud/src/main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
##########
@@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {
static final CredentialBuilder AWS_CREDENTIAL_BUILDER = (TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
- AWSCredentials awsCredentials = null;
+ AWSCredentialsProvider authChain = null;
try {
if (Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
- awsCredentials = DefaultAWSCredentialsProviderChain.getInstance().getCredentials();
+ authChain = DefaultAWSCredentialsProviderChain.getInstance();
} else {
- awsCredentials =
+ authChain =
new STSAssumeRoleSessionCredentialsProvider.Builder(
config.getConfigProperty(S3_ROLE_FIELD),
config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
- ).build().getCredentials();
- }
-
- if (awsCredentials instanceof AWSSessionCredentials) {
- // if we have session credentials, we need to send the session token
- // this allows us to support EC2 metadata credentials
- SessionCredentials sessionCredentials = SessionCredentials.builder()
- .accessKeyId(awsCredentials.getAWSAccessKeyId())
- .secretAccessKey(awsCredentials.getAWSSecretKey())
- .sessionToken(((AWSSessionCredentials) awsCredentials).getSessionToken())
- .build();
- config.setProviderCredentials(() -> sessionCredentials);
- } else {
- Credentials credentials = new Credentials(
- awsCredentials.getAWSAccessKeyId(), awsCredentials.getAWSSecretKey());
- config.setProviderCredentials(() -> credentials);
+ ).build();
}
+ // Important! Delay the building of actual credentials
+ // until later to support tokens that may be refreshed
+ // such as all session tokens
+ AWSCredentialsProvider finalAuthChain = authChain;
Review comment:
Why do we need a new variable `finalAuthChain` instead of reusing `authChain`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
jiazhai commented on pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#issuecomment-770543719
@gaoran10 @Renkai Would you please also help review this?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
jiazhai commented on pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#issuecomment-770902018
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Renkai commented on a change in pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
Renkai commented on a change in pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#discussion_r567551289
##########
File path: tiered-storage/jcloud/src/main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
##########
@@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {
static final CredentialBuilder AWS_CREDENTIAL_BUILDER = (TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
- AWSCredentials awsCredentials = null;
+ AWSCredentialsProvider authChain = null;
Review comment:
```
final AWSCredentialsProvider authChain;
try {
if (Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
authChain = DefaultAWSCredentialsProviderChain.getInstance();
} else {
authChain =
new STSAssumeRoleSessionCredentialsProvider.Builder(
config.getConfigProperty(S3_ROLE_FIELD),
config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
).build();
}
// Important! Delay the building of actual credentials
// until later to support tokens that may be refreshed
// such as all session tokens
config.setProviderCredentials(() -> {
AWSCredentials newCreds = authChain.getCredentials();
```
Maybe like this is better?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Renkai commented on a change in pull request #9387: [tiered-storage] Allow AWS credentials to be refreshed
Posted by GitBox <gi...@apache.org>.
Renkai commented on a change in pull request #9387:
URL: https://github.com/apache/pulsar/pull/9387#discussion_r567552200
##########
File path: tiered-storage/jcloud/src/main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
##########
@@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {
static final CredentialBuilder AWS_CREDENTIAL_BUILDER = (TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
- AWSCredentials awsCredentials = null;
+ AWSCredentialsProvider authChain = null;
try {
if (Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
- awsCredentials = DefaultAWSCredentialsProviderChain.getInstance().getCredentials();
+ authChain = DefaultAWSCredentialsProviderChain.getInstance();
} else {
- awsCredentials =
+ authChain =
new STSAssumeRoleSessionCredentialsProvider.Builder(
config.getConfigProperty(S3_ROLE_FIELD),
config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
- ).build().getCredentials();
- }
-
- if (awsCredentials instanceof AWSSessionCredentials) {
- // if we have session credentials, we need to send the session token
- // this allows us to support EC2 metadata credentials
- SessionCredentials sessionCredentials = SessionCredentials.builder()
- .accessKeyId(awsCredentials.getAWSAccessKeyId())
- .secretAccessKey(awsCredentials.getAWSSecretKey())
- .sessionToken(((AWSSessionCredentials) awsCredentials).getSessionToken())
- .build();
- config.setProviderCredentials(() -> sessionCredentials);
- } else {
- Credentials credentials = new Credentials(
- awsCredentials.getAWSAccessKeyId(), awsCredentials.getAWSSecretKey());
- config.setProviderCredentials(() -> credentials);
+ ).build();
}
+ // Important! Delay the building of actual credentials
+ // until later to support tokens that may be refreshed
+ // such as all session tokens
+ AWSCredentialsProvider finalAuthChain = authChain;
+ config.setProviderCredentials(() -> {
+ AWSCredentials newCreds = finalAuthChain.getCredentials();
+ Credentials jcloudCred = null;
+
+ if (newCreds instanceof AWSSessionCredentials) {
+ // if we have session credentials, we need to send the session token
+ // this allows us to support EC2 metadata credentials
+ jcloudCred = SessionCredentials.builder()
+ .accessKeyId(newCreds.getAWSAccessKeyId())
+ .secretAccessKey(newCreds.getAWSSecretKey())
+ .sessionToken(((AWSSessionCredentials) newCreds).getSessionToken())
+ .build();
+ } else {
+ jcloudCred = new Credentials(
Review comment:
Will we, or should we still go into this if branch in our new implementation?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org