[
https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703063#comment-16703063
]
Steve Loughran commented on HADOOP-14556:
-----------------------------------------
One other comment on [~elgoiri]'s feedback
> IAMInstanceCredentialsProvider#getCredentials leaves comments behind.
I actually switched to the commented one, which wraps the exception raised by
the IAM provider.
why so? The default error message you get in the absence of any credentials is
the "cannot connect to 169.xx.xx.xx" error from the IAM provider which cannot
talk to the IAM server. Because we have that on the default chain, and unless
you are in an EC2 deployment (were it will never fail as you always get the
VM's credentials), it is guaranteed to fail. So I'm wrapping that as an
{{NoAwsCredentialsException}} as that's what it means. The error raising in
{{AWSCredentialProviderList}} is tweaked to move from throwing the last
exception to "the most recent exception which isn't just a
{{NoAwsCredentialsException}}.
That means if you have an auth chain where your DT plugin is failing for a
complex reason, that failure gets thrown, even if you have a fallback chain of
other things afterwards (env vars,etc)
> S3A to support Delegation Tokens
> --------------------------------
>
> Key: HADOOP-14556
> URL: https://issues.apache.org/jira/browse/HADOOP-14556
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.2.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch,
> HADOOP-14556-003.patch, HADOOP-14556-004.patch, HADOOP-14556-005.patch,
> HADOOP-14556-007.patch, HADOOP-14556-008.patch, HADOOP-14556-009.patch,
> HADOOP-14556-010.patch, HADOOP-14556-010.patch, HADOOP-14556-011.patch,
> HADOOP-14556-012.patch, HADOOP-14556-013.patch, HADOOP-14556-014.patch,
> HADOOP-14556-015.patch, HADOOP-14556-016.patch, HADOOP-14556-017.patch,
> HADOOP-14556-018a.patch, HADOOP-14556-019.patch, HADOOP-14556-020.patch,
> HADOOP-14556-021.patch, HADOOP-14556-022.patch, HADOOP-14556-023.patch,
> HADOOP-14556.oath-002.patch, HADOOP-14556.oath.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via
> {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id;
> these will be saved in the token and marshalled with jobs
> * A new authentication provider will look for a token for the current user
> and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to
> the initial duration. Also, as you can't request an STS token from a
> temporary session, IAM instances won't be able to issue tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
