Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tiered-storage] Allow AWS credentials to be refreshed #9387

Merged
merged 2 commits into from
Feb 1, 2021
Merged

[tiered-storage] Allow AWS credentials to be refreshed #9387

merged 2 commits into from
Feb 1, 2021

Conversation

addisonj
Copy link
Contributor

@addisonj addisonj commented Feb 1, 2021

Motivation

With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire.

Modifications

The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

Verifying this change

This also adds a test to ensure this isn't broken in the future, it does a simple validation to ensure that the underlying credentials can change via AWS SystemPropertyCredentialProvider

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): n
  • The public API: n
  • The schema: n
  • The default values of configurations: n
  • The wire protocol: n
  • The rest endpoints: n
  • The admin cli options: n
  • Anything that affects deployment: n

Documentation

  • Does this pull request introduce a new feature? n
  • If yes, how is the feature documented? N/A

@sijie sijie added this to the 2.8.0 milestone Feb 1, 2021
@jiazhai
Copy link
Member

jiazhai commented Feb 1, 2021

@gaoran10 @Renkai Would you please also help review this?

Renkai
Renkai reviewed Feb 1, 2021
View reviewed changes
...main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java Outdated
// Important! Delay the building of actual credentials
// until later to support tokens that may be refreshed
// such as all session tokens
AWSCredentialsProvider finalAuthChain = authChain;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a new variable finalAuthChain instead of reusing authChain?

Renkai
Renkai suggested changes Feb 1, 2021
View reviewed changes
...main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java Outdated
@@ -304,33 +305,40 @@ public ProviderMetadata getProviderMetadata() {

static final CredentialBuilder AWS_CREDENTIAL_BUILDER = (TieredStorageConfiguration config) -> {
if (config.getCredentials() == null) {
AWSCredentials awsCredentials = null;
AWSCredentialsProvider authChain = null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

            final AWSCredentialsProvider authChain;
            try {
                if (Strings.isNullOrEmpty(config.getConfigProperty(S3_ROLE_FIELD))) {
                    authChain = DefaultAWSCredentialsProviderChain.getInstance();
                } else {
                    authChain =
                            new STSAssumeRoleSessionCredentialsProvider.Builder(
                                    config.getConfigProperty(S3_ROLE_FIELD),
                                    config.getConfigProperty(S3_ROLE_SESSION_NAME_FIELD)
                            ).build();
                }

                // Important! Delay the building of actual credentials
                // until later to support tokens that may be refreshed
                // such as all session tokens
                config.setProviderCredentials(() -> {
                    AWSCredentials newCreds = authChain.getCredentials();

Maybe like this is better?

Renkai
Renkai reviewed Feb 1, 2021
View reviewed changes
...main/java/org/apache/bookkeeper/mledger/offload/jcloud/provider/JCloudBlobStoreProvider.java
.sessionToken(((AWSSessionCredentials) newCreds).getSessionToken())
.build();
} else {
jcloudCred = new Credentials(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we, or should we still go into this if branch in our new implementation?

@jiazhai
Copy link
Member

jiazhai commented Feb 1, 2021

@addisonj There is PR #9376 fix some flaky test, it would be good to rebase this branch with the latest master.

@addisonj
[tiered-storage] Allow AWS credentials to be refreshed
e417eb1 
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire. The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

This also adds a test to ensure this isn't broken in the future
@addisonj
address feedback
9f6303b
@jiazhai
Copy link
Member

jiazhai commented Feb 1, 2021

/pulsarbot run-failure-checks

@sijie sijie merged commit 562b2e7 into apache:master Feb 1, 2021
@sijie sijie deleted the s3_expired_creds branch February 1, 2021 18:41
@codelipenghui codelipenghui added the cherry-picked/branch-2.7 Archived: 2.7 is end of life label Feb 4, 2021
codelipenghui pushed a commit that referenced this pull request Feb 4, 2021
@addisonj @codelipenghui
[tiered-storage] Allow AWS credentials to be refreshed (#9387)
732c839 
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire.

The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

This also adds a test to ensure this isn't broken in the future, it does a simple validation to ensure that the underlying credentials can change via AWS SystemPropertyCredentialProvider

(cherry picked from commit 562b2e7)
@addisonj addisonj mentioned this pull request Feb 4, 2021
Closed
codelipenghui pushed a commit that referenced this pull request Feb 7, 2021
@addisonj @codelipenghui
[tiered-storage] Allow AWS credentials to be refreshed (#9387)
ce191fb 
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire.

The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

This also adds a test to ensure this isn't broken in the future, it does a simple validation to ensure that the underlying credentials can change via AWS SystemPropertyCredentialProvider

(cherry picked from commit 562b2e7)
codelipenghui pushed a commit to streamnative/pulsar-archived that referenced this pull request Feb 7, 2021
@addisonj @codelipenghui
[tiered-storage] Allow AWS credentials to be refreshed (apache#9387)
17b10cf 
With the refactor of support azure, a regression occured where the AWS
credentials were fetched once and then used through the entire process.

This is a problem in AWS, where it is commonplace to use credentials
that expire.

The AWS credential provider chain takes care of this
problem, but when intgrating with JClouds, that means we need the
credential Supplier to return a new set of credentials each time.

Luckily, AWS should intelligently cache this so we aren't thrashing the
underlying credential mechanisms.

This also adds a test to ensure this isn't broken in the future, it does a simple validation to ensure that the underlying credentials can change via AWS SystemPropertyCredentialProvider

(cherry picked from commit 562b2e7)
(cherry picked from commit ce191fb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiazhai jiazhai jiazhai approved these changes

@Renkai Renkai Renkai approved these changes

@sijie sijie sijie approved these changes

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@zymap zymap Awaiting requested review from zymap

Assignees

@addisonj addisonj

Labels
area/tieredstorage cherry-picked/branch-2.7 Archived: 2.7 is end of life release/2.6.4 release/2.7.1
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@addisonj @jiazhai @sijie @Renkai @codelipenghui