thswlsqls opened a new issue, #17046:
URL: https://github.com/apache/iceberg/issues/17046

   **Apache Iceberg version**
   main @ 035fc1e40
   
   **Query engine**
   N/A — engine-agnostic (Aliyun OSS FileIO client factory)
   
   **Please describe the bug**
   `AliyunClientFactories.DefaultAliyunClientFactory.newOSSClient()` 
(`aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java` 
line 123) always checks RRSA (RAM Roles for Service Accounts) environment 
variables first, regardless of whether 
`client.access-key-id`/`client.access-key-secret` are explicitly configured. If 
a pod has the three RRSA env vars set (auto-injected by Alibaba Cloud ACK when 
RRSA is enabled on the ServiceAccount), explicit static credentials are 
silently ignored and replaced with RRSA credentials.
   
   The sibling aws module (`AwsClientProperties.credentialsProvider()`, 
`aws/src/main/java/org/apache/iceberg/aws/AwsClientProperties.java` line 
213-239) checks a fully configured static credential pair before falling back 
to auto-detection. Aliyun's precedence is reversed.
   
   **Steps to reproduce**
   1. Set `ALIBABA_CLOUD_OIDC_PROVIDER_ARN`, `ALIBABA_CLOUD_ROLE_ARN`, 
`ALIBABA_CLOUD_OIDC_TOKEN_FILE`.
   2. Also configure `client.access-key-id` and `client.access-key-secret` on 
the catalog (e.g. for cross-account OSS bucket access).
   3. Call `newOSSClient()`.
   
   Expected: the explicit static credentials are used.
   Actual: RRSA credentials are used instead, silently overriding the explicit 
configuration.
   
   **Additional context**
   RRSA support was added in #14443; its review did not consider the 
interaction with static credentials. No existing open issue/PR covers this 
precedence conflict.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to