openinx commented on code in PR #14443:
URL: https://github.com/apache/iceberg/pull/14443#discussion_r2583706915
##########
aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java:
##########
@@ -81,17 +88,82 @@ private static AliyunClientFactory loadClientFactory(
}
static class DefaultAliyunClientFactory implements AliyunClientFactory {
+ private static final Logger LOG =
LoggerFactory.getLogger(DefaultAliyunClientFactory.class);
private AliyunProperties aliyunProperties;
DefaultAliyunClientFactory() {}
+ /**
+ * Check if RRSA environment variables are present. RRSA requires
+ * ALIBABA_CLOUD_OIDC_PROVIDER_ARN, ALIBABA_CLOUD_ROLE_ARN and
ALIBABA_CLOUD_OIDC_TOKEN_FILE to
+ * be set.
+ */
+ boolean isRrsaEnvironmentAvailable() {
+ String oidcProviderArn =
System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+ String roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+ String oidcTokenFile = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+ return oidcProviderArn != null
+ && !oidcProviderArn.isEmpty()
+ && roleArn != null
+ && !roleArn.isEmpty()
+ && oidcTokenFile != null
+ && !oidcTokenFile.isEmpty();
+ }
+
@Override
public OSS newOSSClient() {
Preconditions.checkNotNull(
aliyunProperties,
"Cannot create aliyun oss client before initializing the
AliyunClientFactory.");
- if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
+ String endpoint = aliyunProperties.ossEndpoint();
+
+ // Check if RRSA environment is available
+ if (isRrsaEnvironmentAvailable()) {
+ try {
+ LOG.info(
+ "Detected RRSA environment variables, creating OSS client with
RRSA credentials for endpoint: {}",
+ endpoint);
+
+ // Use OIDCRoleArnCredentialProvider directly with built-in caching
and auto-refresh
+ final OIDCRoleArnCredentialProvider oidcProvider =
+ OIDCRoleArnCredentialProvider.builder().build();
+
+ CredentialsProvider ossCredProvider =
+ new CredentialsProvider() {
+ private volatile Credentials currentCredentials;
+
+ @Override
+ public void setCredentials(Credentials credentials) {}
+
+ @Override
+ public Credentials getCredentials() {
+ try {
+ LOG.debug("Getting credentials using RRSA");
+ // getCredentials() returns cached credentials and
auto-refreshes when needed
+ CredentialModel cred = oidcProvider.getCredentials();
+ long expirationSeconds = 0;
+ if (cred.getExpiration() > 0) {
Review Comment:
And the key problem is: What if the credential is expired ? should we renew
it automatically ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
