[jira] [Updated] (SOLR-16429) Missing dependency for STS - Cannot leverage Web Identity Tokens

[Kevin Risden (Jira)]

     [ 
https://issues.apache.org/jira/browse/SOLR-16429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden updated SOLR-16429:
--------------------------------
    Fix Version/s: 9.1
                   main (10.0)

> Missing dependency for STS - Cannot leverage Web Identity Tokens
> ----------------------------------------------------------------
>
>                 Key: SOLR-16429
>                 URL: https://issues.apache.org/jira/browse/SOLR-16429
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Backup/Restore
>    Affects Versions: 8.11.2
>         Environment: Solr 8 (and later), when operating in a container within 
> AWS, attempting to leverage Web Identity Tokens as part of S3 backups.
>            Reporter: Josh Souza
>            Priority: Major
>             Fix For: 9.1, main (10.0)
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> As discovered in 
> [apache/solr-operator#475|https://github.com/apache/solr-operator/issues/475]
> the {{s3-repository}} contrib module is missing a dependency on the 
> {{software.amazon.awssdk:sts}} module in order to enable authentication via 
> Web Identity Tokens (STS).
> The documentation for the Solr Operator 
> ([https://apache.github.io/solr-operator/docs/solr-backup/#s3-credentials] / 
> [https://github.com/apache/solr-operator/blob/61c74353505e0e7171bdb3ff41102af47fb589fc/docs/solr-backup/README.md?plain=1#L342-L343])
>  references that this should be possible, and any other implementation of 
> Solr on Kubernetes (or any other AWS system using IRSA) won't be able to use 
> the default credential process to use Web Identity Tokens without this module 
> dependency.
> Discovered by following breadcrumbs from: 
> [aws/aws-sdk-java-v2#2123|https://github.com/aws/aws-sdk-java-v2/issues/2123]
> Adding the `sts` jar to the classpath has confirmed to address this issue, 
> but this is likely a miss on testing dependencies because it's pretty 
> difficult to test. (Solr wouldn't call out to this code, it's the internal 
> AWS api that needs this as part of the default chain).
>  
> I'll try to get a PR together to add this in.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org