github-actions[bot] commented on code in PR #62788:
URL: https://github.com/apache/doris/pull/62788#discussion_r3231133418
##########
be/src/util/s3_util.cpp:
##########
@@ -626,6 +626,16 @@ static CredProviderType
cred_provider_type_from_thrift(TCredProviderType::type c
return CredProviderType::Simple;
case TCredProviderType::INSTANCE_PROFILE:
return CredProviderType::InstanceProfile;
+ case TCredProviderType::ENV:
+ return CredProviderType::Env;
Review Comment:
Decoding these new thrift values exposes a BE v1 credential path that still
does not honor them for role-based configs. `S3Properties.getS3TStorageParam()`
can now send `role_arn + ENV/CONTAINER/WEB_IDENTITY/...`;
`get_s3_client_conf()` stores that type, but with
`aws_credentials_provider_version != v2`,
`S3ClientFactory::_get_aws_credentials_provider_v1()` only enters the
assume-role branch for `CredProviderType::InstanceProfile`. For `ENV`,
`CONTAINER`, or `WEB_IDENTITY`, it skips the `role_arn` entirely and falls
through to anonymous credentials because AK/SK are empty. This is distinct from
the existing recycler-v1 thread: this is the BE storage-policy/resource-push
path enabled by the new thrift decoder. Please either reject
non-`INSTANCE_PROFILE` role providers when v1 is active or make the BE v1 path
assume the role using the selected base provider.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
