Make the DEFAULT_SESSION value thread safe.

[jdufresne]

The default configuration of mod_wsgi is to run 15 threads under 1
process. When using boto3 in this configuration, accessing the
DEFAULT_SESSION is not thread safe and can lead to runtime errors. To
handle this use case, protect the default session using
threading.local().

Fixes #801

[jamesls]

Thanks for the pull request.

One subtlety with this change is that any code that's properly protecting access to the session via their own locking mechanism might have breaking behavior. Code that's using setup_default_session() in one thread to configure a session and creating clients/resources in another thread will no longer work as expected.

I think this is in a grey area of constituting a breaking change, so it's probably worth more discussion.

[jdufresne]

For reference, the issue also came up boto/botocore#577.

[jamesls]

Yep I remember that issue. I would like to address this, my main concern is doing this in a backwards compatible way. I think switching to TLS could cause subtle unexpected changes in behavior.

Just throwing another idea out there: What about just locking the create_client calls in botocore? We'd likely need to lock a good portion of the public methods in botocore.session.Session, but that seems like it's less likely to impact people while still solving the problem of thread safety.

Thoughts?

[jdufresne]

@jamesls Makes sense to me. I've taken a go at your suggestion in PR boto/botocore#1033 All feedback welcome. Feel free to close this PR if you prefer that approach.