[fs] Support AWS S3 credentials provider mode#3540
Conversation
|
@fresh-borzoni could you please help review this when you have time? Thanks! |
fresh-borzoni
left a comment
There was a problem hiding this comment.
@litiliu Thank you for the PR, looks good overall, couple of minor comments, PTAL
| import com.amazonaws.services.securitytoken.model.AssumeRoleResult; | ||
| import com.amazonaws.services.securitytoken.model.Credentials; | ||
| import com.amazonaws.services.securitytoken.model.GetSessionTokenResult; | ||
| import org.apache.commons.lang3.StringUtils; |
There was a problem hiding this comment.
commons-lang3 is only transitive here, shall we use org.apache.commons.lang3.StringUtils?
There was a problem hiding this comment.
Good point. I replaced org.apache.commons.lang3.StringUtils with Fluss's org.apache.fluss.utils.StringUtils, so we no longer rely on the transitive commons-lang3 dependency.
|
@fresh-borzoni Thanks for the review! I've addressed the comments, added the S3 credential-provider documentation, and rebased the branch onto the latest main. PTAL when you have time. |
fresh-borzoni
left a comment
There was a problem hiding this comment.
@litiliu Thank you, I've added small change in the docs for the use-case you added(otherwise it's only the note, so it's a bit weird), hope it's alright, merging.
Purpose
Closes #3493.
This PR adds a server-side AWS S3 credentials provider mode for the S3 filesystem. When
fs.s3a.aws.credentials.provideris explicitly configured in Fluss configuration, Fluss treats it as the authoritative server-side credential source instead of injecting the client delegated-token provider.This is intended for deployments that use standard AWS SDK/Hadoop S3A providers such as
com.amazonaws.auth.profile.ProfileCredentialsProvider, so rotated long-term credentials can be picked up by the provider without restarting Fluss servers.The full motivation and design discussion are in #3493. This PR description keeps the reviewer-facing summary and the final implemented behavior.
Brief change log
s3.aws.credentials.providers3a.aws.credentials.providerfs.s3a.aws.credentials.providerS3DelegationTokenProvidercan distinguish an explicit Fluss provider from Hadoop default resources.DynamicTemporaryAWSCredentialsProvider;fs.s3a.assumed.role.arn;Credential mode resolution:
Tests
mvn -pl fluss-filesystems/fluss-fs-s3 test -Dtest=S3FileSystemPluginTest,S3DelegationTokenProviderTestAdded/updated coverage for:
DynamicTemporaryAWSCredentialsProvider;DynamicTemporaryAWSCredentialsProviderfor server mode is rejected;API and Format
No public API or storage format changes.
The PR adds an internal Hadoop configuration marker under
fluss.fs.s3.aws.credentials.provider.explicitly.configured. It is not a user-facing option; it only carries whether the provider was explicitly configured through Fluss config.Documentation
No separate documentation update in this PR. The user-facing behavior and operational motivation are described in #3493.
Generative AI disclosure
AGENTS.mdguidance.