big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-19201 S3A. Support external-id in assume role (#6876)

Browse Source 
The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service

Contributed by Smith Cruise
This commit is contained in:
Smith Cruise 2024-09-10 22:38:32 +08:00 committed by GitHub
parent c9e9bce361
commit c835adb3a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
View File

@ -94,6 +94,11 @@ private Constants() {
public static final String ASSUMED_ROLE_ARN =
"fs.s3a.assumed.role.arn";
/**
* external id for assume role request: {@value}.
*/
public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
/**
* Session name for the assumed role, must be valid characters according
* to the AWS APIs: {@value}.

5
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
View File

@ -125,6 +125,7 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
LOG.debug("{}", this);
@ -132,6 +133,10 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
.durationSeconds((int) duration);
if (StringUtils.isNotEmpty(externalId)) {
requestBuilder.externalId(externalId);
}
if (StringUtils.isNotEmpty(policy)) {
LOG.debug("Scope down policy {}", policy);
requestBuilder.policy(policy);

8
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
View File

@ -153,6 +153,14 @@ Here are the full set of configuration options.
</description>
</property>
<property>
<name>fs.s3a.assumed.role.external.id</name>
<value>arbitrary value, specific by user in AWS console</value>
<description>
External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
</description>
</property>
<property>
<name>fs.s3a.assumed.role.policy</name>
<value/>