[
https://issues.apache.org/jira/browse/HADOOP-16806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jon Hartlaub updated HADOOP-16806:
----------------------------------
Description:
AWS has added a security feature to the assume-role function in the form of the
"ExternalId" key in the AWS Java SDK
{{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this
security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a
patch to include this value from the configuration as well as an added Constant
to the {{org.apache.hadoop.fs.s3a.Constants}} file.
The ExternalId is not a required security feature, it is an augmentation of the
current assume role configuration.
Proposed:
* Get the assume-role ExternalId token from the configuration for the
configuration key {{fs.s3a.assumed.role.externalid}}
* Use the configured ExternalId value in the
{{STSAssumeRoleSessionCredentialsProvider.Builder}}
e.g.
{{if (StringUtils.isNotEmpty(externalId)) {}}
{{ builder.withExternalId(externalId); // include the token for
cross-account assume role}}
{{}}}
Tests:
* +Unit test+ which verifies the ExternalId state value of the
{{AssumedRoleCredentialProvider}} is consistent with the configured value -
either empty or populated
* Question: not sure about how to write the +integration test+ for this
feature. We have an account configured for this use-case that verifies this
feature but I don't have much context on the AWS S3 integration tests, perhaps
a pointer could help.
was:
AWS has added a security feature to the assume-role function in the form of the
"ExternalId" key in the AWS Java SDK
{{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this
security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a
patch to include this value from the configuration as well as an added Constant
to the {{org.apache.hadoop.fs.s3a.Constants}} file.
The ExternalId is not a required security feature, it is an augmentation of the
current assume role configuration.
Proposed:
* Get the assume-role ExternalId token from the configuration for the
configuration key {{fs.s3a.assumed.role.externalid}}
* Use the configured ExternalId value in the
{{STSAssumeRoleSessionCredentialsProvider.Builder}}
e.g.
{{if (StringUtils.isNotEmpty(externalId)) {}}
{{ builder.withExternalId(externalId); // include the token for
cross-account assume role}}
{{}}}
> AWS AssumedRoleCredentialProvider needs ExternalId add
> ------------------------------------------------------
>
> Key: HADOOP-16806
> URL: https://issues.apache.org/jira/browse/HADOOP-16806
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.2.1
> Reporter: Jon Hartlaub
> Priority: Minor
>
> AWS has added a security feature to the assume-role function in the form of
> the "ExternalId" key in the AWS Java SDK
> {{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this
> security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a
> patch to include this value from the configuration as well as an added
> Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file.
> The ExternalId is not a required security feature, it is an augmentation of
> the current assume role configuration.
> Proposed:
> * Get the assume-role ExternalId token from the configuration for the
> configuration key {{fs.s3a.assumed.role.externalid}}
> * Use the configured ExternalId value in the
> {{STSAssumeRoleSessionCredentialsProvider.Builder}}
> e.g.
> {{if (StringUtils.isNotEmpty(externalId)) {}}
> {{ builder.withExternalId(externalId); // include the token for
> cross-account assume role}}
> {{}}}
> Tests:
> * +Unit test+ which verifies the ExternalId state value of the
> {{AssumedRoleCredentialProvider}} is consistent with the configured value -
> either empty or populated
> * Question: not sure about how to write the +integration test+ for this
> feature. We have an account configured for this use-case that verifies this
> feature but I don't have much context on the AWS S3 integration tests,
> perhaps a pointer could help.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
