GitHub user michaelkoepf edited a comment on the discussion: [Roadmap] Planning 0.9 Release
hi. @wuchong i think i can also answer it. @ka-steve #1245 introduces the ability to configure fluss so that each component authenticates itself separately via its own credentials/credential providers, rather than relying on those distributed by the fluss server. this includes authentication via aws credential providers that use temporary aws credentials (e.g., `org.apache.hadoop.fs.s3a.auth.IAMInstanceCredentialsProvider`). in other words, if all fluss components (server/client) run on aws, #1245 allows each component to authenticate itself _separately_ using _temporary credentials_. currently, fluss relies on token delegation and does not support separate authentication for each component. this is because the server attempts to obtain a security token via sts using its access key and secret (embedded long term credentials), see [here](https://github.com/apache/fluss/blob/ae84521aaaef5448a0bc5a63fc83e6ca536ca452/fluss-filesystems/fluss-fs-s3/src/main/java/org/apache/fluss/fs/s3/token/S3DelegationTokenProvider.java#L73). the client expects to receive a security token from the server on _initialization_ of the file system and fails if there is no token, see [here](https://github.com/apache/fluss/blob/ae84521aaaef5448a0bc5a63fc83e6ca536ca452/fluss-filesystems/fluss-fs-obs/src/main/java/org/apache/fluss/fs/obs/token/OBSSecurityTokenReceiver.java#L66). further details are also available in the updated documentation for #1245, see [here](https://github.com/apache/fluss/blob/2c7731b89381eee2d665a0f786065b0cffdc9e60/website/docs/maintenance/filesystems/s3.md). GitHub link: https://github.com/apache/fluss/discussions/1911#discussioncomment-15052300 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
