[jira] [Commented] (HADOOP-17077) S3A delegation token binding to support secondary binding list

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-17077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18044786#comment-18044786
 ] 

ASF GitHub Bot commented on HADOOP-17077:
-----------------------------------------

github-actions[bot] closed pull request #2083: HADOOP-17077. S3A delegation 
token binding to support secondary binding list
URL: https://github.com/apache/hadoop/pull/2083




> S3A delegation token binding to support secondary binding list
> --------------------------------------------------------------
>
>                 Key: HADOOP-17077
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17077
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.3.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>              Labels: pull-request-available
>
> (followon from HADOOP-17050)
> Add the ability of an S3A FS instance to support multiple instances of 
> delegation token bindings.
> The property "fs.s3a.delegation.token.secondary.bindings" will list the 
> classnames of all secondary bindings.
> for each one, an instance shall be created with the canonical service name 
> being: fs URI + [ tokenKind ]. This is to ensure that the URIs are unique for 
> each FS instance -but also that a single fs instance can have multiple tokens 
> in the credential list.
> the instance is just a AbstractDelegationTokenBinding provider of an AWS 
> credential provider chain, with the normal lifecycle and operations to bind 
> to a DT, issue tokens, etc
> * the final list of AWS Credential providers will be built by appending those 
> provided by each binding in turn.
> Token binding at launch
> If the primary token binding binds to a delegation token, then the whole 
> binding is changed such that all secondary tokens MUST also bind. That is: it 
> will be an error if one cannot be found. This is  possibly overstrict-but it 
> avoids situations where an incomplete set of tokens are retrieved and This 
> does not surface until later.
> Only the encryption secrets in the primary DT will be used for FS encryption 
> settings.
> Testing: yes.
> Probably also by adding a test-only DT provider which doesn't actually issue 
> any real credentials and so which can be deployed in both ITests and staging 
> tests where we can verify that the chained instantiation works.
> Compatibility: the goal is to be backwards compatible with any already 
> released token provider plugin.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org