[tiered-storage] Add support for AWS instance and role creds #4433
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
merlimat
added
the
type/enhancement
|
run integration tests |
|
the integration test passes locally, the failure was in the offloader test though, so it is possible there is some race condition this slightly introduces? Running them again to see if that is the case... |
sijie
approved these changes
Jun 1, 2019
added 2 commits
June 1, 2019 09:15
This commit makes changes to the tiered storage support for S3 to allow for support of ec2 metadata instance credentials as well as additional config options for assuming a role to get credentials. This works by changing the way we provide credentials to use the funtional `Supplier` interface and for using the AWS specific `SessionCredentials` object for when we detect that the `CredentialProvider` is providing credentials that have a session token.
This changes the s3 handling slightly, instead of falling back to static credentials, we instead now fail if no s3 credentials can be found and change the unit tests to start a broker with s3 credentials. With the new Supplier API, we now fetch credentials on every request. Because of this, the failure and subsequent try/catch is costly and the integration tests were using this, which caused them to be significantly slower. Instead, we just check to see if we can fetch creds, and if we can't consider it an error condition to exit the app as it is unlikely in a production scenario to not have some credentials.
|
I wasn't fully understanding how the integration tests work by needing to bake a new container first, so I wasn't actually testing this changeset! I found the issue, which was that the try/catch that the unit tests relied on were causing the tests to be massively slower. Added a new commit, which just changes this to ensure we have credentials on boot and then changes the tests to include some static credentials. This could technically be a breaking change if someone in production is using s3/s3-compatible storage without credentials, but that seems somewhat unlikely and is easy worked around by provided some fake static credentials, and this seems like the cleaner choice rather than a warning and not having offloading work as expected. |
|
okay, was also able to get this deployed to a dev cluster and was able to validate it working with ec2 instance credentials, so assuming I got all the tests fixed, I think this should be good to go |
|
run java8 tests |
gaoran10
added a commit
to gaoran10/pulsar
that referenced
this pull request
Nov 19, 2020
1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (apache#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (apache#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (apache#4433)
gaoran10
added a commit
to gaoran10/pulsar
that referenced
this pull request
Nov 20, 2020
1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (apache#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (apache#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (apache#4433)
codelipenghui
pushed a commit
that referenced
this pull request
Nov 21, 2020
# Motivation The PR #6335 lost some PR changes, related PRs as below. 1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (#4433)
codelipenghui
pushed a commit
that referenced
this pull request
Nov 21, 2020
# Motivation The PR #6335 lost some PR changes, related PRs as below. 1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (#4433) (cherry picked from commit 68759ff)
codelipenghui
referenced
this pull request
in streamnative/pulsar-archived
Nov 21, 2020
…ache#8630) # Motivation The PR apache#6335 lost some PR changes, related PRs as below. 1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (#4433) (cherry picked from commit 68759ff) (cherry picked from commit 8793963)
codelipenghui
referenced
this pull request
in streamnative/pulsar-archived
Nov 21, 2020
…ache#8630) # Motivation The PR apache#6335 lost some PR changes, related PRs as below. 1. PR 4196 (2019/5/29 Merli) Configure static PulsarByteBufAllocator to handle OOM errors (#4196) 2. PR 5356 (2019/10/30 Kelly) [TIEREDSTORAGE] Only seek when reading unexpected entry (#5356) 3. PR 4433 (2019/6/4 Higham) [tiered-storage] Add support for AWS instance and role creds (#4433) (cherry picked from commit 68759ff) (cherry picked from commit 8793963) (cherry picked from commit 0388a1a)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
This commit makes changes to the tiered storage support for S3
to allow for support of ec2 metadata instance credentials as well as
additional config options for assuming a role to get credentials.
Currently, because ec2 instance credentials require a session token,
the existing implementation does not let you use credentials provided
by the ec2 metadata API.
Also, the usage of roles can be very helpful, this commit also adds support
for roles.
Modifications
This works by changing the way we provide credentials to use the
funtional
Supplierinterface and for using the AWS specificSessionCredentialsobject for when we detect that theCredentialProvideris providing credentials that have a session token.The creation of the AWSCredentialProvider is moved into the
TieredStorageConfigurationDataobjectand two new configuration options are exposed, which are used to provide details of the role name and roleSessionName.
Verifying this change
This change added tests and can be verified as follows:
Does this pull request potentially affect one of the following parts:
Documentation