[jira] [Commented] (HADOOP-19067) Allow tag passing to AWS Assume Role Credential Provider

Mon, 05 Feb 2024 13:35:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814512#comment-17814512
 ] 

Jason Martin commented on HADOOP-19067:
---------------------------------------

I hadn't seen the audit logging, thank you for that.  In this environment I 
don't think I can rely on links back to the spark cluster since they are 
ephemeral but centrally managed.  I can get session data in Cloudtrail Data 
Events and map the credential back to the AssumeRole, and the platform could 
have added in all the breadcrumbs in those tags.

Being able to define these additional fields the referrer header would also do 
it, I'll probably open a separate ticket about that.

> Allow tag passing to AWS Assume Role Credential Provider
> --------------------------------------------------------
>
>                 Key: HADOOP-19067
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19067
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/s3
>    Affects Versions: 3.4.0
>            Reporter: Jason Martin
>            Priority: Minor
>
> [https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java#L131-L133]
>  passes a session name and role arn to AssumeRoleRequest. The AWS AssumeRole 
> API also supports passing a list of tags: 
> [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/sts/model/AssumeRoleRequest.html#tags()]
> These tags could be used by platforms to enhance the data encoded into 
> CloudTrail entries to provide better information about the client. For 
> example, a 'notebook' based platform could encode the notebook / jobname / 
> invoker-id in these tags, enabling more granular access controls and leaving 
> a richer breadcrumb-trail as to what operations are being performed.
> This is particularly useful in larger environments where jobs do not get 
> individual roles to assume, and there is a desire to track what 
> jobs/notebooks are reading a given set of files in S3.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to