首页 发现 帮助
注册 登录
apache
/
hadoop
镜像自地址 https://github.com/apache/hadoop.git
2
0
派生 1
文件 工单管理 0 Wiki
浏览代码

HADOOP-19201. S3A. Support external-id in assume role (#6876)

The option fs.s3a.assumed.role.external.id sets the
external id for calls of AssumeRole to the STS service

Contributed by Smith Cruise
Smith Cruise 7 月之前
父节点
5db50fb995
当前提交
87d9bb6022
共有 3 个文件被更改,包括 18 次插入0 次删除
分列视图 显示文件统计
  1. 5 0
      hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
  2. 5 0
      hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
  3. 8 0
      hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md

+ 5 - 0
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
查看文件 

@@ -94,6 +94,11 @@ public final class Constants {
 
   public static final String ASSUMED_ROLE_ARN =
 
       "fs.s3a.assumed.role.arn";
 
 
+  /**
 
+   * external id for assume role request: {@value}.
 
+   */
 
+  public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
 
+
 
   /**
 
    * Session name for the assumed role, must be valid characters according
 
    * to the AWS APIs: {@value}.

+ 5 - 0
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
查看文件 

@@ -125,6 +125,7 @@ public final class AssumedRoleCredentialProvider implements AwsCredentialsProvid
 
     duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
 
         ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
 
     String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
 
+    String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
 
 
     LOG.debug("{}", this);
 
 
@@ -132,6 +133,10 @@ public final class AssumedRoleCredentialProvider implements AwsCredentialsProvid
 
         AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
 
             .durationSeconds((int) duration);
 
 
+    if (StringUtils.isNotEmpty(externalId)) {
 
+      requestBuilder.externalId(externalId);
 
+    }
 
+
 
     if (StringUtils.isNotEmpty(policy)) {
 
       LOG.debug("Scope down policy {}", policy);
 
       requestBuilder.policy(policy);

+ 8 - 0
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
查看文件 

@@ -153,6 +153,14 @@ Here are the full set of configuration options.
 
   </description>
 
 </property>
 
 
+<property>
 
+  <name>fs.s3a.assumed.role.external.id</name>
 
+  <value>arbitrary value, specific by user in AWS console</value>
 
+  <description>
 
+    External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
 
+  </description>
 
+</property>
 
+
 
 <property>
 
   <name>fs.s3a.assumed.role.policy</name>
 
   <value/>