zhaoyunjiong commented on code in PR #14443:
URL: https://github.com/apache/iceberg/pull/14443#discussion_r2583921364
##########
aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java:
##########
@@ -81,17 +88,82 @@ private static AliyunClientFactory loadClientFactory(
}
static class DefaultAliyunClientFactory implements AliyunClientFactory {
+ private static final Logger LOG =
LoggerFactory.getLogger(DefaultAliyunClientFactory.class);
private AliyunProperties aliyunProperties;
DefaultAliyunClientFactory() {}
+ /**
+ * Check if RRSA environment variables are present. RRSA requires
+ * ALIBABA_CLOUD_OIDC_PROVIDER_ARN, ALIBABA_CLOUD_ROLE_ARN and
ALIBABA_CLOUD_OIDC_TOKEN_FILE to
+ * be set.
+ */
+ boolean isRrsaEnvironmentAvailable() {
+ String oidcProviderArn =
System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+ String roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+ String oidcTokenFile = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+ return oidcProviderArn != null
+ && !oidcProviderArn.isEmpty()
+ && roleArn != null
+ && !roleArn.isEmpty()
+ && oidcTokenFile != null
+ && !oidcTokenFile.isEmpty();
+ }
+
@Override
public OSS newOSSClient() {
Preconditions.checkNotNull(
aliyunProperties,
"Cannot create aliyun oss client before initializing the
AliyunClientFactory.");
- if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
+ String endpoint = aliyunProperties.ossEndpoint();
+
+ // Check if RRSA environment is available
+ if (isRrsaEnvironmentAvailable()) {
+ try {
+ LOG.info(
+ "Detected RRSA environment variables, creating OSS client with
RRSA credentials for endpoint: {}",
+ endpoint);
+
+ // Use OIDCRoleArnCredentialProvider directly with built-in caching
and auto-refresh
+ final OIDCRoleArnCredentialProvider oidcProvider =
+ OIDCRoleArnCredentialProvider.builder().build();
+
+ CredentialsProvider ossCredProvider =
+ new CredentialsProvider() {
+ private volatile Credentials currentCredentials;
+
+ @Override
+ public void setCredentials(Credentials credentials) {}
+
+ @Override
+ public Credentials getCredentials() {
+ try {
+ LOG.debug("Getting credentials using RRSA");
+ // getCredentials() returns cached credentials and
auto-refreshes when needed
+ CredentialModel cred = oidcProvider.getCredentials();
+ long expirationSeconds = 0;
+ if (cred.getExpiration() > 0) {
+ expirationSeconds =
+ (cred.getExpiration() - System.currentTimeMillis())
/ 1000;
+ }
+ this.currentCredentials =
+ new BasicCredentials(
+ cred.getAccessKeyId(),
+ cred.getAccessKeySecret(),
+ cred.getSecurityToken(),
+ expirationSeconds);
+ return this.currentCredentials;
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to get RRSA
credentials", e);
+ }
+ }
+ };
+ return new OSSClientBuilder().build(endpoint, ossCredProvider);
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to create RRSA OSS client", e);
+ }
+ } else if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
Review Comment:
For line 166, the diff here is:
```
- if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
+ } else if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
```
The token can be passed via properties.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
