Skip to content

Commit

Permalink
[tiered-storage] Allow AWS credentials to be refreshed
Browse files Browse the repository at this point in the history 
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire. The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

This also adds a test to ensure this isn't broken in the future
  • Loading branch information
@addisonj
addisonj committed Feb 1, 2021
1 parent 0edcaa0 commit 5180dbb
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 42 deletions.
48 changes: 28 additions & 20 deletions ...n/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import static org.apache.bookkeeper.mledger.offload.jcloud.provider.TieredStorageConfiguration.S3_ROLE_SESSION_NAME_FIELD;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
Expand Down Expand Up @@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {

static final CredentialBuilder AWS_CREDENTIAL_BUILDER = (TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
AWSCredentials awsCredentials = null;
AWSCredentialsProvider authChain = null;
try {
if (Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
awsCredentials = DefaultAWSCredentialsProviderChain.getInstance().getCredentials();
authChain = DefaultAWSCredentialsProviderChain.getInstance();
} else {
awsCredentials =
authChain =
new STSAssumeRoleSessionCredentialsProvider.Builder(
config.getConfigProperty(S3_ROLE_FIELD),
config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
).build().getCredentials();
}

if (awsCredentials instanceof AWSSessionCredentials) {
// if we have session credentials, we need to send the session token
// this allows us to support EC2 metadata credentials
SessionCredentials sessionCredentials = SessionCredentials.builder()
.accessKeyId(awsCredentials.getAWSAccessKeyId())
.secretAccessKey(awsCredentials.getAWSSecretKey())
.sessionToken(((AWSSessionCredentials) awsCredentials).getSessionToken())
.build();
config.setProviderCredentials(() -> sessionCredentials);
} else {
Credentials credentials = new Credentials(
awsCredentials.getAWSAccessKeyId(), awsCredentials.getAWSSecretKey());
config.setProviderCredentials(() -> credentials);
).build();
}

// Important! Delay the building of actual credentials
// until later to support tokens that may be refreshed
// such as all session tokens
AWSCredentialsProvider finalAuthChain = authChain;
config.setProviderCredentials(() -> {
AWSCredentials newCreds = finalAuthChain.getCredentials();
Credentials jcloudCred = null;

if (newCreds instanceof AWSSessionCredentials) {
// if we have session credentials, we need to send the session token
// this allows us to support EC2 metadata credentials
jcloudCred = SessionCredentials.builder()
.accessKeyId(newCreds.getAWSAccessKeyId())
.secretAccessKey(newCreds.getAWSSecretKey())
.sessionToken(((AWSSessionCredentials) newCreds).getSessionToken())
.build();
} else {
jcloudCred = new Credentials(
newCreds.getAWSAccessKeyId(), newCreds.getAWSSecretKey());
}
return jcloudCred;
});
} catch (Exception e) {
// allowed, some mock s3 service do not need credential
log.warn("Exception when get credentials for s3 ", e);
Expand Down Expand Up @@ -391,4 +399,4 @@ public ProviderMetadata getProviderMetadata() {
config.setProviderCredentials(() -> credentials);
};

}
}
54 changes: 32 additions & 22 deletions ...rg/apache/bookkeeper/mledger/offload/jcloud/provider/TieredStorageConfigurationTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.pulsar.jcloud.shade.com.google.common.base.Supplier;

import org.jclouds.domain.Credentials;
import org.testng.annotations.Test;

public class TieredStorageConfigurationTests {
Expand Down Expand Up @@ -113,7 +115,36 @@ public final void awsS3BackwardCompatiblePropertiesTest() {
assertEquals(config.getReadBufferSizeInBytes(), new Integer(500));
assertEquals(config.getServiceEndpoint(), "http://some-url:9093");
}


/**
* Confirm that with AWS we create different instances of the credentials
* object each time we call the supplier, this ensure that we get fresh credentials
* if the aws credential provider changes
*/
@Test
public final void awsS3CredsProviderTest() {
Map<String, String> map = new HashMap<>();
map.put(TieredStorageConfiguration.BLOB_STORE_PROVIDER_KEY, JCloudBlobStoreProvider.AWS_S3.getDriver());
TieredStorageConfiguration config = new TieredStorageConfiguration(map);

// set the aws properties with fake creds so the defaultProviderChain works
System.setProperty("aws.accessKeyId", "fakeid1");
System.setProperty("aws.secretKey", "fakekey1");
Credentials creds1 = config.getProviderCredentials().get();
assertEquals(creds1.identity, "fakeid1");
assertEquals(creds1.credential, "fakekey1");

// reset the properties and ensure we get different values by re-evaluating the chain
System.setProperty("aws.accessKeyId", "fakeid2");
System.setProperty("aws.secretKey", "fakekey2");
Credentials creds2 = config.getProviderCredentials().get();
assertEquals(creds2.identity, "fakeid2");
assertEquals(creds2.credential, "fakekey2");

System.clearProperty("aws.accessKeyId");
System.clearProperty("aws.secretKey");
}

/**
* Confirm that both property options are available for GCS
*/
Expand Down Expand Up @@ -177,25 +208,4 @@ public final void gcsBackwardCompatiblePropertiesTest() {
assertEquals(config.getMaxBlockSizeInBytes(), new Integer(12));
assertEquals(config.getReadBufferSizeInBytes(), new Integer(500));
}

/**
* Confirm that we can configure AWS using the old properties
*/
@Test
public final void s3BackwardCompatiblePropertiesTest() {
Map<String, String> map = new HashMap<String,String>();
map.put(TieredStorageConfiguration.BLOB_STORE_PROVIDER_KEY, JCloudBlobStoreProvider.AWS_S3.getDriver());
map.put(BC_S3_BUCKET, "test bucket");
map.put(BC_S3_ENDPOINT, "http://some-url:9093");
map.put(BC_S3_MAX_BLOCK_SIZE, "12");
map.put(BC_S3_READ_BUFFER_SIZE, "500");
map.put(BC_S3_REGION, "test region");
TieredStorageConfiguration config = new TieredStorageConfiguration(map);

assertEquals(config.getRegion(), "test region");
assertEquals(config.getBucket(), "test bucket");
assertEquals(config.getMaxBlockSizeInBytes(), new Integer(12));
assertEquals(config.getReadBufferSizeInBytes(), new Integer(500));
assertEquals(config.getServiceEndpoint(), "http://some-url:9093");
}
}

0 comments on commit 5180dbb

Please sign in to comment.