[
https://issues.apache.org/jira/browse/KNOX-1204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398814#comment-16398814
]
Larry McCay edited comment on KNOX-1204 at 3/14/18 4:10 PM:
------------------------------------------------------------
Hi [[email protected]] - I haven't quite decided whether to use S3A for this
yet.
There are very obvious reasons why it would be a good idea to do so.
My current POC work around it is very simple and leverages the Java S3 SDK
directly and may or may not be sufficient in the near term.
I am not sure that we can simply proxy S3A at all, we would need to do what I
have done in the current POC and wrap the use of the S3A fs in a jersey service
hosted by Knox rather than proxying to another service.
Is that what you mean by "interesting"?
was (Author: lmccay):
Hi [[email protected]] - I haven't quite decided whether to use S3A for this
yet.
There are very obvious reasons why it would be a good idea to do so.
My current POC work around it very simple and leverages the Java S3 SDK
directly and may or may not be sufficient in the near term.
I am not sure that we can simply proxy S3A at all, we would need to do what I
have done in the current POC and wrap the use of the S3A fs in a jersey service
hosted by Knox rather than proxying to another service.
Is that what you mean by "interesting"?
> KIP-11 - S3 Access through Knox API
> -----------------------------------
>
> Key: KNOX-1204
> URL: https://issues.apache.org/jira/browse/KNOX-1204
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 1.1.0
>
>
> h1. UC-5: S3 Integration
> While the Knox WebHDFS integration may still work for many cloud deployments,
> it does seem like a gap that there is no way to move files in and out of S3
> or other cloud storage mechanisms through Knox.
> We can actually combine UC-2 above to acquire temporary credentials on behalf
> of the authenticated users. We would request the IAM role and permissions
> that are appropriate for the user and their group memberships in order to
> access buckets protected with IAM roles. We could also combine with UC-4
> above to have encrypted files put into S3 that will only be able to be
> decrypted on-prem.
> It would require Knox to be granted permission in a given cloud deployment to
> make STS calls and may require AWS credentials for the Knox user to be an IAM
> role. We may also be able to assumeRole to the needed role for STS access.
> It will also require a Jersey service hosted in Knox to put files into S3
> (Knox3?) or we can create a pluggable backend and make it a more generic
> object store API.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
