New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added proper authentication for S3 client #16856
Conversation
In
|
0b2d8e7
to
68927db
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add also some short docs in PR description - which auth methods we declare as supported, order how they are checked and link to aws official docs
…)`." This reverts commit 683c5a4d7c0d6ac2411671b1784b1b171fa4ec1b.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These things may improve readability, so they really are optional and it is up to you
@@ -85,15 +89,107 @@ class AWSLogger final : public Aws::Utils::Logging::LogSystemInterface | |||
std::unordered_map<String, Poco::Logger *> tag_loggers; | |||
}; | |||
|
|||
class S3CredentialsProviderChain : public Aws::Auth::AWSCredentialsProviderChain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not simply use a builder function for Aws::Auth::AWSCredentialsProviderChain
instead of this inheritance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it is protected.
: Aws::Client::AWSAuthV4Signer( | ||
std::make_shared<Aws::Auth::SimpleAWSCredentialsProvider>(credentials), | ||
std::make_shared<S3CredentialsProviderChain>( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This constructor would also become less coupled if it consumed Aws::Auth::AWSCredentialsProvider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Integration tests (thread) for 3dd9554 detects something unexpected with count of minio.list_objects(). I can't say for sure if its absolutely unrelated.
Apart from that above, LGTM.
Checking that in 30b0c38 |
Same test failed in #17934 -- it flaps |
I hereby agree to the terms of the CLA available at: https://yandex.ru/legal/cla/?lang=en
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Added proper authentication using environment,
~/.aws
andAssumeRole
for S3 client.Global configuration file setting
s3.use_environment_credentials
turns on attempt to retrieve credentials from environment, and it can be granularly overridden in endpoint/disk setting with same name:use_environment_credentials
. If setting is on and credentials can not be retrieved from environment, credentials for given endpoint/disk are being used (possibly anonymous).Environment credentials are retrieved by following procedure (default for AWS):
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_SESSION_TOKEN
;$HOME/.aws
;AssumeRole
;AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
orAWS_CONTAINER_CREDENTIALS_FULL_URI
andAWS_ECS_CONTAINER_AUTHORIZATION_TOKEN
;AWS_EC2_METADATA_DISABLED
is not set totrue
(in any case).If credentials are retrieved but they are wrong, ClickHouse will not try another ones.