HADOOP-16568. S3A FullCredentialsTokenBinding fails if local credentials are unset. (#1441)

Contributed by Steve Loughran. Move the loading to deployUnbonded (where they are required) and add a safety check when a new DT is requested Change-Id: I03c69aa2e16accfccddca756b2771ff832e7dd58
2020-06-03 17:07:00 +01:00 · 2020-06-03 17:07:00 +01:00 · 8a642caca8
commit 8a642caca8
parent cf84bec6e3
1 changed files with 5 additions and 2 deletions
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
@ -22,6 +22,8 @@
 import java.net.URI;
 import java.util.Optional;

+import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
 import org.apache.hadoop.fs.s3a.S3AUtils;
@ -73,7 +75,6 @@ public FullCredentialsTokenBinding() {
  @Override
  protected void serviceStart() throws Exception {
    super.serviceStart();
-    loadAWSCredentials();
  }

  /**
@ -116,6 +117,7 @@ private void loadAWSCredentials() throws IOException {
  @Override
  public AWSCredentialProviderList deployUnbonded() throws IOException {
    requireServiceStarted();
+    loadAWSCredentials();
    return new AWSCredentialProviderList(
        "Full Credentials Token Binding",
        new MarshalledCredentialProvider(
@ -142,7 +144,8 @@ public AbstractS3ATokenIdentifier createTokenIdentifier(
      final EncryptionSecrets encryptionSecrets,
      final Text renewer) throws IOException {
    requireServiceStarted();
-
+    Preconditions.checkNotNull(
+        awsCredentials, "No AWS credentials to use for a delegation token");
    return new FullCredentialsTokenIdentifier(getCanonicalUri(),
        getOwnerText(),
        renewer,