[ https://issues.apache.org/jira/browse/HADOOP-16806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jon Hartlaub updated HADOOP-16806: ---------------------------------- Description: AWS has added a security feature to the assume-role function in the form of the "ExternalId" key in the AWS Java SDK {{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a patch to include this value from the configuration as well as an added Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file. The ExternalId is not a required security feature, it is an augmentation of the current assume role configuration. Proposed: * Get the assume-role ExternalId token from the configuration for the configuration key {{fs.s3a.assumed.role.externalid}} * Use the configured ExternalId value in the {{STSAssumeRoleSessionCredentialsProvider.Builder}} e.g. {{if (StringUtils.isNotEmpty(externalId)) {}} {{ builder.withExternalId(externalId); // include the token for cross-account assume role}} {{}}} Tests: * +Unit test+ which verifies the ExternalId state value of the {{AssumedRoleCredentialProvider}} is consistent with the configured value - either empty or populated * Question: not sure about how to write the +integration test+ for this feature. We have an account configured for this use-case that verifies this feature but I don't have much context on the AWS S3 integration tests, perhaps a pointer could help. was: AWS has added a security feature to the assume-role function in the form of the "ExternalId" key in the AWS Java SDK {{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a patch to include this value from the configuration as well as an added Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file. The ExternalId is not a required security feature, it is an augmentation of the current assume role configuration. Proposed: * Get the assume-role ExternalId token from the configuration for the configuration key {{fs.s3a.assumed.role.externalid}} * Use the configured ExternalId value in the {{STSAssumeRoleSessionCredentialsProvider.Builder}} e.g. {{if (StringUtils.isNotEmpty(externalId)) {}} {{ builder.withExternalId(externalId); // include the token for cross-account assume role}} {{}}} > AWS AssumedRoleCredentialProvider needs ExternalId add > ------------------------------------------------------ > > Key: HADOOP-16806 > URL: https://issues.apache.org/jira/browse/HADOOP-16806 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 > Affects Versions: 3.2.1 > Reporter: Jon Hartlaub > Priority: Minor > > AWS has added a security feature to the assume-role function in the form of > the "ExternalId" key in the AWS Java SDK > {{STSAssumeRoleSessionCredentialsProvider.Builder}} class. To support this > security feature, the hadoop aws {{AssumedRoleCredentialProvider}} needs a > patch to include this value from the configuration as well as an added > Constant to the {{org.apache.hadoop.fs.s3a.Constants}} file. > The ExternalId is not a required security feature, it is an augmentation of > the current assume role configuration. > Proposed: > * Get the assume-role ExternalId token from the configuration for the > configuration key {{fs.s3a.assumed.role.externalid}} > * Use the configured ExternalId value in the > {{STSAssumeRoleSessionCredentialsProvider.Builder}} > e.g. > {{if (StringUtils.isNotEmpty(externalId)) {}} > {{ builder.withExternalId(externalId); // include the token for > cross-account assume role}} > {{}}} > Tests: > * +Unit test+ which verifies the ExternalId state value of the > {{AssumedRoleCredentialProvider}} is consistent with the configured value - > either empty or populated > * Question: not sure about how to write the +integration test+ for this > feature. We have an account configured for this use-case that verifies this > feature but I don't have much context on the AWS S3 integration tests, > perhaps a pointer could help. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org