HADOOP-19282. S3A: STSClientFactory: do not use URIBuilder

[LDVSOFT]

Description of PR

URIBuilder was used from the AWS SDK for Java v2, to be precise from the shaded Apache HTTP Client. It is a problem if a user would like not to use the AWS SDK bundle, since more or less only 3 modules are needed (s3, s3-transfer & sts), but that may cause problems on unshaded dependency versions. Since a URI constructor can achieve the same here I switched it as a preferred option.

How was this patch tested?

I've run the test suite against a eu-west-1 bucket, without scaling/load since the change shouldn't affect that. To be exact, with something like this:

auth-keys.xml

<configuration>
<property>
    <name>test.fs.s3a.name</name>
    <value>s3a://hadoop-test-‹edited›</value>
</property>

<property>
    <name>test.fs.s3a.encryption.enabled</name>
    <value>false</value>
    <description>Don't wanna</description>
</property>

<property>
    <name>test.fs.s3a.create.acl.enabled</name>
    <value>false</value>
    <description>disabled on server</description>
</property>

<property>
    <name>fs.s3a.endpoint.region</name>
    <value>eu-west-1</value>
</property>

<property>
    <name>fs.s3a.assumed.role.sts.endpoint.region</name>
    <value>eu-west-1</value>
</property>

<property>
    <name>test.sts.endpoint</name>
    <description>Specific endpoint to use for STS requests.</description>
    <value>sts.eu-west-1.amazonaws.com</value>
</property>

<property>
    <name>fs.s3a.assumed.role.sts.endpoint</name>
    <value>${test.sts.endpoint}</value>
</property>

<property>
    <name>fs.contract.test.fs.s3a</name>
    <value>${test.fs.s3a.name}</value>
</property>

<property>
    <!-- Runs under aws-vault --no-session -->
    <name>fs.s3a.aws.credentials.provider</name>
    <value>software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider</value>
</property>

<property>
    <!-- Runs under aws-vault --no-session -->
    <name>fs.s3a.assumed.role.credentials.provider</name>
    <value>software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider</value>
</property>

<property>
    <name>fs.s3a.assumed.role.arn</name>
    <value>arn:aws:iam::‹edited›:role/hadoop_test_role_‹edited›</value>
</property>

<!-- is there a typo in the docs? -->
<property>
    <name>fs.s3a.delegation.token.endpoint</name>
    <value>${fs.s3a.assumed.role.sts.endpoint}</value>
</property>
</configuration>

Almost all test pass:

• I wasn't able to make ITestDelegatedMRJob work. They probably clean out environment somewhere and my environment-provided AWS credentials didn't work. Also it looks parametrized, and I can't tell from the Surefire/Failsafe reports which causes a problem.
• ITestRoleDelegationInFilesystem/ITestSessionDelegationInFilesystem fail a bit in missmatch2, but I'm really unfamiliar with credentials delegation. Probably lost environment variables on it's way?
• Sometimes ITestS3APrefetchingInputStream fails with 0 size.
• To be honest those also don't work for me on trunk!

Given that other tests pass and the scope of the change I think it's fine, and the problem is my test setup misconfiguration. If you know how to fix the setup — I can rerun with some other options.

Also, I've found this bug while repackaging Spark for a local K8S deployment, and with this fix STS configuration options work even if I do replace AWS SDK bundle with only required SDK modules.

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

Sign-off

I give a license to the Apache Software Foundation to use this code, as required under §5 of the Apache License.

P.S.

Re-opened from #7483 where there was a review by @steveloughran.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	8m 45s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	34m 25s		trunk passed
+1 💚	compile	0m 28s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 25s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	checkstyle	0m 23s		trunk passed
+1 💚	mvnsite	0m 30s		trunk passed
+1 💚	javadoc	0m 29s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 24s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	spotbugs	0m 49s		trunk passed
+1 💚	shadedclient	21m 29s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 18s		the patch passed
+1 💚	compile	0m 23s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 23s		the patch passed
+1 💚	compile	0m 17s		the patch passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	javac	0m 17s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 14s		the patch passed
+1 💚	mvnsite	0m 22s		the patch passed
+1 💚	javadoc	0m 19s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 19s		the patch passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	spotbugs	0m 45s		the patch passed
+1 💚	shadedclient	21m 27s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	2m 32s		hadoop-aws in the patch passed.
+1 💚	asflicense	0m 27s		The patch does not generate ASF License warnings.
		96m 27s

Subsystem	Report/Notes
Docker	ClientAPI=1.51 ServerAPI=1.51 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/artifact/out/Dockerfile
GITHUB PR	#7966
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 119e93a3aae9 5.15.0-143-generic #153-Ubuntu SMP Fri Jun 13 19:10:45 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / e000b6a
Default Java	Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/testReport/
Max. process+thread count	555 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[LDVSOFT]

Oh hey, way better CI luck this time around :)

[steveloughran]

+1

[steveloughran]

@LDVSOFT thanks for this -we never want to make those shaded libraries mandatory. If you can sort out the classpath of a leaner deployment -well done!

Those test failures showed you were running them...the prefetch one fails regularly for me too.

The PR Is merged to trunk. If you do a cherrypick PR and retest against branch-3.4 I will merge there too

[steveloughran]

also, have you an asf JIRA ID to assign the fix to you there? If not: request one and tell me what it is.

[LDVSOFT]

@steveloughran You're welcome!

About leaner classpath: there are pros and cons. S3A, as far as I see, really only needs AWS SDK modules for s3, s3-manager, sts and whatever those would pull (core, sync/async clients, etc), however since dependencies of those aren't shaded, like in bundle, it may cause other problems I can't recommend to anyone outside as of now (as of now I don't trust Maven to handle this complexity 🤫). Also there is some noise as it seems implementation would prefer a particular good async http client, but don't quote me on that…

Will cherry-pick for 3.4.

I'm not familiar with Jira to understand what ID you mean here, but my username is LDVSoft.

[steveloughran]

@LDVSOFT the reason we use the big jar is just that historically it's been so brittle to things like the version of jackson, httpclient and more -so using the unshaded artifacts would put the SDK in charge of defining the versions of those artifacts for everything.

regarding JIRA ID, your username is what I meant -you are now listed as the author of the patch there.