This is an automated email from the ASF dual-hosted git repository.
kirs pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-4.0 by this push:
new 2d22e58aa29 branch-4.0: [fix](Test)Anonymous access must be explicitly
specified to prevent the default ProviderChain from taking effect. #59862
(#59900)
2d22e58aa29 is described below
commit 2d22e58aa29cf776f7f07438589905875a90c974
Author: Calvin Kirs <[email protected]>
AuthorDate: Thu Jan 15 19:22:44 2026 +0800
branch-4.0: [fix](Test)Anonymous access must be explicitly specified to
prevent the default ProviderChain from taking effect. #59862 (#59900)
#59862
---
.../common/AwsCredentialsProviderFactory.java | 34 ++++++++++++++++----
.../property/storage/S3PropertiesTest.java | 2 +-
.../test_catalog_instance_profile.groovy | 36 ++++++++++++----------
.../aws_iam_role_p0/test_tvf_anonymous.groovy | 4 ++-
4 files changed, 52 insertions(+), 24 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/AwsCredentialsProviderFactory.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/AwsCredentialsProviderFactory.java
index 5b49795dfa5..d2fd4a80d9e 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/AwsCredentialsProviderFactory.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/AwsCredentialsProviderFactory.java
@@ -72,8 +72,12 @@ public final class AwsCredentialsProviderFactory {
List<com.amazonaws.auth.AWSCredentialsProvider> providers = new
ArrayList<>();
providers.add(new
com.amazonaws.auth.InstanceProfileCredentialsProvider());
//lazy + env
-
providers.add(com.amazonaws.auth.WebIdentityTokenCredentialsProvider.create());
- providers.add(new
com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper());
+ if (isWebIdentityConfigured()) {
+
providers.add(com.amazonaws.auth.WebIdentityTokenCredentialsProvider.create());
+ }
+ if (isContainerCredentialsConfigured()) {
+ providers.add(new
com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper());
+ }
providers.add(new
com.amazonaws.auth.EnvironmentVariableCredentialsProvider());
providers.add(new
com.amazonaws.auth.SystemPropertiesCredentialsProvider());
return new com.amazonaws.auth.AWSCredentialsProviderChain(
@@ -108,13 +112,27 @@ public final class AwsCredentialsProviderFactory {
}
}
+ private static boolean isWebIdentityConfigured() {
+ return System.getenv("AWS_ROLE_ARN") != null
+ && System.getenv("AWS_WEB_IDENTITY_TOKEN_FILE") != null;
+ }
+
+ private static boolean isContainerCredentialsConfigured() {
+ return System.getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI") != null
+ || System.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") !=
null;
+ }
+
private static AwsCredentialsProvider createDefaultV2(
boolean includeAnonymous) {
List<AwsCredentialsProvider> providers = new ArrayList<>();
providers.add(InstanceProfileCredentialsProvider.create());
- providers.add(WebIdentityTokenFileCredentialsProvider.create());
- providers.add(ContainerCredentialsProvider.create());
+ if (isWebIdentityConfigured()) {
+ providers.add(WebIdentityTokenFileCredentialsProvider.create());
+ }
+ if (isContainerCredentialsConfigured()) {
+ providers.add(ContainerCredentialsProvider.create());
+ }
providers.add(EnvironmentVariableCredentialsProvider.create());
providers.add(SystemPropertyCredentialsProvider.create());
if (includeAnonymous) {
@@ -143,9 +161,13 @@ public final class AwsCredentialsProviderFactory {
List<String> providers = new ArrayList<>();
providers.add(EnvironmentVariableCredentialsProvider.class.getName());
providers.add(SystemPropertyCredentialsProvider.class.getName());
-
providers.add(WebIdentityTokenFileCredentialsProvider.class.getName());
- providers.add(ContainerCredentialsProvider.class.getName());
providers.add(InstanceProfileCredentialsProvider.class.getName());
+ if (isWebIdentityConfigured()) {
+
providers.add(WebIdentityTokenFileCredentialsProvider.class.getName());
+ }
+ if (isContainerCredentialsConfigured()) {
+
providers.add(ContainerCredentialsProvider.class.getName());
+ }
if (includeAnonymousInDefault) {
providers.add(AnonymousCredentialsProvider.class.getName());
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
b/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
index 755795cca94..1882019127c 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/datasource/property/storage/S3PropertiesTest.java
@@ -275,7 +275,7 @@ public class S3PropertiesTest {
provider = s3Props.getAwsCredentialsProvider();
Assertions.assertNotNull(provider);
Assertions.assertTrue(provider instanceof AwsCredentialsProviderChain);
-
Assertions.assertEquals("software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider,software.amazon.awssdk.auth.credentials.WebIdentityTokenFileCredentialsProvider,software.amazon.awssdk.auth.credentials.ContainerCredentialsProvider,software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider,software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider",
s3Props.get [...]
+
Assertions.assertEquals("software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider,software.amazon.awssdk.auth.credentials.SystemPropertyCredentialsProvider,software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider,software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider",
s3Props.getHadoopStorageConfig().get("fs.s3a.aws.credentials.provider"));
}
diff --git
a/regression-test/suites/aws_iam_role_p0/test_catalog_instance_profile.groovy
b/regression-test/suites/aws_iam_role_p0/test_catalog_instance_profile.groovy
index f8877929b96..f21ec3dd4d6 100644
---
a/regression-test/suites/aws_iam_role_p0/test_catalog_instance_profile.groovy
+++
b/regression-test/suites/aws_iam_role_p0/test_catalog_instance_profile.groovy
@@ -22,7 +22,7 @@ suite("test_catalog_instance_profile_with_role") {
if
(Strings.isNullOrEmpty(context.config.otherConfigs.get("hiveGlueInstanceProfileQueryTableName")))
{
return
}
-
+ sql """ ADMIN SET FRONTEND CONFIG
("aws_credentials_provider_version"="v2"); """
String hiveGlueQueryTableName =
context.config.otherConfigs.get("hiveGlueInstanceProfileQueryTableName")
String hiveGlueExpectCounts =
context.config.otherConfigs.get("hiveGlueInstanceProfileExpectCounts")
String icebergFsQueryTableName =
context.config.otherConfigs.get("icebergFsInstanceProfileQueryTableName")
@@ -43,11 +43,12 @@ suite("test_catalog_instance_profile_with_role") {
assertTrue(countValue == expectCounts.toInteger())
sql """drop catalog if exists ${catalogName}"""
}
- def assertCatalogAndQueryException = { catalogProps, catalogName, errMsg ->
+ def assertCatalogAndQueryException = { catalogProps, catalogName,
queryTableName ->
sql """drop catalog if exists ${catalogName}"""
sql """
${catalogProps}
"""
+ boolean failed = false
try {
sql """
switch ${catalogName};
@@ -55,22 +56,25 @@ suite("test_catalog_instance_profile_with_role") {
sql """
show databases;
"""
- throw new Exception("Expected exception was not thrown")
+ sql """
+ select count(1) from ${catalogName}.${queryTableName};
+ """
}catch (Exception e){
- assertTrue(e.getMessage().contains(errMsg))
+ failed = true
}
+ assertTrue(failed)
}
String hiveGlueCatalogProps = """
- create catalog hive_glue_catalog properties(
+ create catalog hive_glue_catalog_instance_profile properties(
"type"="hms",
"hive.metastore.type"="glue",
"glue.region"="${region}",
"glue.endpoint" = "https://glue.${region}.amazonaws.com";
);
"""
- createCatalogAndQuery(hiveGlueCatalogProps, "hive_glue_catalog",
hiveGlueQueryTableName, hiveGlueExpectCounts)
+ createCatalogAndQuery(hiveGlueCatalogProps,
"hive_glue_catalog_instance_profile", hiveGlueQueryTableName,
hiveGlueExpectCounts)
hiveGlueCatalogProps = """
- create catalog hive_glue_catalog properties(
+ create catalog hive_glue_catalog_instance_profile properties(
"type"="hms",
"hive.metastore.type"="glue",
"glue.credentials_provider_type"="INSTANCE_PROFILE",
@@ -78,9 +82,9 @@ suite("test_catalog_instance_profile_with_role") {
"glue.endpoint" = "https://glue.${region}.amazonaws.com";
);
"""
- createCatalogAndQuery(hiveGlueCatalogProps, "hive_glue_catalog",
hiveGlueQueryTableName, hiveGlueExpectCounts)
+ createCatalogAndQuery(hiveGlueCatalogProps,
"hive_glue_catalog_instance_profile", hiveGlueQueryTableName,
hiveGlueExpectCounts)
hiveGlueCatalogProps = """
- create catalog hive_glue_catalog properties(
+ create catalog hive_glue_catalog_instance_profile properties(
"type"="hms",
"hive.metastore.type"="glue",
"glue.credentials_provider_type"="CONTAINER",
@@ -88,9 +92,9 @@ suite("test_catalog_instance_profile_with_role") {
"glue.endpoint" = "https://glue.${region}.amazonaws.com";
);
"""
- assertCatalogAndQueryException(hiveGlueCatalogProps,"hive_glue_catalog",
"The environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+
assertCatalogAndQueryException(hiveGlueCatalogProps,"hive_glue_catalog_instance_profile",
hiveGlueQueryTableName)
String icebergFsCatalogProps = """
- create catalog iceberg_fs_catalog properties(
+ create catalog iceberg_fs_catalog_instance_profile properties(
"type"="iceberg",
"warehouse"="${icebergFsWarehouse}",
"iceberg.catalog.type"="hadoop",
@@ -98,9 +102,9 @@ suite("test_catalog_instance_profile_with_role") {
"s3.endpoint" = "https://s3.${region}.amazonaws.com";
);
"""
- createCatalogAndQuery(icebergFsCatalogProps, "iceberg_fs_catalog",
icebergFsQueryTableName, icebergFsExpectCounts)
+ createCatalogAndQuery(icebergFsCatalogProps,
"iceberg_fs_catalog_instance_profile", icebergFsQueryTableName,
icebergFsExpectCounts)
icebergFsCatalogProps = """
- create catalog iceberg_fs_catalog properties(
+ create catalog iceberg_fs_catalog_instance_profile properties(
"type"="iceberg",
"warehouse"="${icebergFsWarehouse}",
"iceberg.catalog.type"="hadoop",
@@ -109,9 +113,9 @@ suite("test_catalog_instance_profile_with_role") {
"s3.endpoint" = "https://s3.${region}.amazonaws.com";
);
"""
- createCatalogAndQuery(icebergFsCatalogProps, "iceberg_fs_catalog",
icebergFsQueryTableName, icebergFsExpectCounts)
+ createCatalogAndQuery(icebergFsCatalogProps,
"iceberg_fs_catalog_instance_profile", icebergFsQueryTableName,
icebergFsExpectCounts)
icebergFsCatalogProps = """
- create catalog iceberg_fs_catalog properties(
+ create catalog iceberg_fs_catalog_instance_profile properties(
"type"="iceberg",
"warehouse"="${icebergFsWarehouse}",
"iceberg.catalog.type"="hadoop",
@@ -120,6 +124,6 @@ suite("test_catalog_instance_profile_with_role") {
"s3.endpoint" = "https://s3.${region}.amazonaws.com";
);
"""
- assertCatalogAndQueryException(icebergFsCatalogProps,"iceberg_fs_catalog",
"No AWS Credentials provided by ContainerCredentialsProvider")
+
assertCatalogAndQueryException(icebergFsCatalogProps,"iceberg_fs_catalog_instance_profile",icebergFsQueryTableName)
}
diff --git a/regression-test/suites/aws_iam_role_p0/test_tvf_anonymous.groovy
b/regression-test/suites/aws_iam_role_p0/test_tvf_anonymous.groovy
index 0437f446c26..7b2d019b6cb 100644
--- a/regression-test/suites/aws_iam_role_p0/test_tvf_anonymous.groovy
+++ b/regression-test/suites/aws_iam_role_p0/test_tvf_anonymous.groovy
@@ -27,13 +27,14 @@ suite("test_tvf_anonymous") {
def uri = context.config.otherConfigs.get("anymousS3Uri")
def expectDataCount =
context.config.otherConfigs.get("anymousS3ExpectDataCount");
//aws_credentials_provider_version
- sql """ ADMIN SET FRONTEND CONFIG
("aws_credentials_provider_version"="v1"); """
+ // sql """ ADMIN SET FRONTEND CONFIG
("aws_credentials_provider_version"="v1"); """
def result = sql """
SELECT count(1) FROM S3 (
"uri"="${uri}",
"format" = "csv",
"s3.region" = "${region}",
+ "s3.credentials_provider_type"="ANONYMOUS",
"s3.endpoint" = "https://s3.${region}.amazonaws.com";,
"column_separator" = "," );
"""
@@ -47,6 +48,7 @@ suite("test_tvf_anonymous") {
"uri"="${uri}",
"format" = "csv",
"s3.region" = "${region}",
+ "s3.credentials_provider_type"="ANONYMOUS",
"s3.endpoint" = "https://s3.${region}.amazonaws.com";,
"column_separator" = "," );
"""
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
