Get PrestoS3FileSystem to work with the AWS Default Credentials Provider #741
Conversation
| } | ||
|
|
||
| throw new RuntimeException("S3 credentials not configured"); | ||
| return Optional.empty(); |
There was a problem hiding this comment.
Why not com.amazonaws.auth.DefaultAWSCredentialsProviderChain#getInstance?
Then you perhaps wouldn't need the other changes, like making it Optional.
There was a problem hiding this comment.
I did this to be consistent with the Glue client, but can make this change.
There was a problem hiding this comment.
Agreed. This is what the client does internally:
private AWSCredentialsProvider resolveCredentials() {
return (credentials == null) ? DefaultAWSCredentialsProviderChain.getInstance() : credentials;
}Not setting credentials results in it being null.
There was a problem hiding this comment.
Thanks, I will get rid of the Optional.
| @@ -155,7 +156,7 @@ public void testAssumeRoleCredentials() | |||
| } | |||
| } | |||
|
|
|||
| @Test(expectedExceptions = RuntimeException.class, expectedExceptionsMessageRegExp = "S3 credentials not configured") | |||
| @Test | |||
| public void testInstanceCredentialsDisabled() | |||
There was a problem hiding this comment.
Please rename the test method to eg testDefaultCredentials.
| @@ -243,8 +243,11 @@ public void close() | |||
| { | |||
| try (Closer closer = Closer.create()) { | |||
| closer.register(super::close); | |||
| if (credentialsProvider instanceof Closeable) { | |||
| closer.register((Closeable) credentialsProvider); | |||
| if (credentialsProvider.isPresent()) { | |||
There was a problem hiding this comment.
@findepi has a good point about not needing Optional. But a general FYI, you can simplify code like this using ifPresent:
credentialsProvider.ifPresent(provider -> {
if (provider instanceof Closeable) { ... }
});
presto-hive/src/main/java/io/prestosql/plugin/hive/s3/PrestoS3FileSystem.java
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| throw new RuntimeException("S3 credentials not configured"); | ||
| return Optional.empty(); |
There was a problem hiding this comment.
Agreed. This is what the client does internally:
private AWSCredentialsProvider resolveCredentials() {
return (credentials == null) ? DefaultAWSCredentialsProviderChain.getInstance() : credentials;
}Not setting credentials results in it being null.
| @@ -744,27 +748,27 @@ private AmazonS3 createAmazonS3Client(Configuration hadoopConfig, ClientConfigur | |||
| } | |||
| } | |||
|
|
|||
| private AWSCredentialsProvider createAwsCredentialsProvider(URI uri, Configuration conf) | |||
| private Optional<AWSCredentialsProvider> createAwsCredentialsProvider(URI uri, Configuration conf) | |||
There was a problem hiding this comment.
What about access to Glue Metastore?
I think io.prestosql.plugin.hive.s3.PrestoS3FileSystem#createAwsCredentialsProvider should be extracted, properly parametrized and also used in io.prestosql.plugin.hive.metastore.glue.GlueHiveMetastore#createAsyncGlueClient
There was a problem hiding this comment.
I will fix it too. I would rather avoid factoring them in because a customer should be able to use different AWS accounts for each of these.
There was a problem hiding this comment.
customer should be able to use different AWS accounts for each of these.
That should be the case anyway. What I meant is that IAM feature toggles should be similar for both S3 and Glue to avoid confusion
|
Updated the PR incorporating review feedback. |
| @@ -764,7 +765,8 @@ private AWSCredentialsProvider createAwsCredentialsProvider(URI uri, Configurati | |||
| return getCustomAWSCredentialsProvider(uri, conf, providerClass); | |||
| } | |||
|
|
|||
| throw new RuntimeException("S3 credentials not configured"); | |||
| // No credentials configured. Fall back to the default credentials provider. | |||
There was a problem hiding this comment.
In https://github.com/prestosql/presto/pull/741/files#diff-2902dc1ae71e318999f5a777a0e0176fR155 you didn't find the comment necessary. I think it's not necessary here as well.
|
|
||
| return asyncGlueClientBuilder.build(); | ||
| else { | ||
| credentialsProvider = new DefaultAWSCredentialsProviderChain(); |
There was a problem hiding this comment.
You should probably call DefaultAWSCredentialsProviderChain.getInstance()
(then you should rename the method to getAwsCredentialsProvider, the same way it was in s3 code)
| @@ -168,19 +169,28 @@ else if (config.getPinGlueClientToCurrentRegion()) { | |||
| } | |||
| } | |||
|
|
|||
| AWSCredentialsProvider credentialsProvider = createAwsCredentialsProvider(config); | |||
| asyncGlueClientBuilder.setCredentials(credentialsProvider); | |||
There was a problem hiding this comment.
please inline credentialsProvider variable and (optionally) add a blank line before final return
|
|
||
| private static AWSCredentialsProvider createAwsCredentialsProvider(GlueHiveMetastoreConfig config) | ||
| { | ||
| AWSCredentialsProvider credentialsProvider; |
There was a problem hiding this comment.
There is no need for this variable. Just return in each if block. Then, don't use else (will become redundant).
There was a problem hiding this comment.
In general, I like reducing the independent paths (cyclomatic complexity), but don't mind making the change.
…Default Credentials Provider DefaultAWSCredentialsProviderChain is frequently used by AWS customers and it provides access from a documented list of sources. This especially makes it easier to run Presto on non-EC2 hosts where you don't have the instance profile. (e.g. Macs, during development). This change also makes PrestoS3FileSystem to be consistent with the Glue connector in Presto. See: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html
|
I think I've incorporated all comments. Let me know if there is more feedback. |
|
@sopel39 Done. Not sure if it's in the right format, please feel free to edit. |
Cherry-pick of trinodb/trino#1363, trinodb/trino#741 and trinodb/trino#3689 Add config hive.metastore.glue.aws-credentials-provider for glue credential provider. where value is fully qualified class name of custom aws credential provider implementation. Co-authored-by: Li Yu <[email protected]> Co-authored-by: Anoop Johnson <[email protected]> Co-authored-by: Ashhar Hasan <[email protected]>
Cherry-pick of trinodb/trino#741 DefaultAWSCredentialsProviderChain is frequently used by AWS customers and it provides access from a documented list of sources. This especially makes it easier to run Presto on non-EC2 hosts where you don't have the instance profile. (e.g. Macs, during development). This change also makes PrestoS3FileSystem to be consistent with the Glue connector in Presto. Co-authored-by: Anoop Johnson <[email protected]>
DefaultAWSCredentialsProviderChain is frequently used by AWS customers
and it provides access from a documented list of sources. This
especially makes it easier to run Presto on non-EC2 hosts where you
don't have the instance profile. (e.g. Macs, during development). This
change also makes PrestoS3FileSystem to be consistent with the Glue connector
in Presto.
See:
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html
Fixes #625