下面列出了org.apache.hadoop.fs.s3a.Constants#software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@VisibleForTesting
protected AwsCredentialsProvider getAsync2Provider(Configuration config) {
switch(config.get(Constants.AWS_CREDENTIALS_PROVIDER)) {
case ACCESS_KEY_PROVIDER:
return StaticCredentialsProvider.create(AwsBasicCredentials.create(
config.get(Constants.ACCESS_KEY), config.get(Constants.SECRET_KEY)));
case EC2_METADATA_PROVIDER:
return InstanceProfileCredentialsProvider.create();
case NONE_PROVIDER:
return AnonymousCredentialsProvider.create();
case ASSUME_ROLE_PROVIDER:
return new STSCredentialProviderV2(config);
default:
throw new IllegalStateException(config.get(Constants.AWS_CREDENTIALS_PROVIDER));
}
}
private AwsCredentialsProvider awsCredentialsProvider(String accessKey, String secretKey) {
if (StringUtils.isNotBlank(accessKey) && StringUtils.isNotBlank(secretKey)) {
log.info("Setting up S3 async client using provided access/secret key");
return StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey));
} else {
log.info("Setting up S3 async client using anonymous credentials");
return AnonymousCredentialsProvider.create();
}
}
private StsWebIdentityCredentialsProvider(WebIdentityTokenCredentialProperties credentialProperties) {
String roleSessionName = credentialProperties.roleSessionName();
String sessionName = roleSessionName != null ? roleSessionName : "aws-sdk-java-" + System.currentTimeMillis();
OrRetryCondition retryCondition = OrRetryCondition.create(new StsRetryCondition(),
RetryCondition.defaultRetryCondition());
this.stsClient = StsClient.builder()
.applyMutation(this::configureEndpoint)
.credentialsProvider(AnonymousCredentialsProvider.create())
.overrideConfiguration(o -> o.retryPolicy(r -> r.retryCondition(retryCondition)))
.build();
AssumeRoleWithWebIdentityRequest request = AssumeRoleWithWebIdentityRequest.builder()
.roleArn(credentialProperties.roleArn())
.roleSessionName(sessionName)
.build();
AssumeRoleWithWebIdentityRequestSupplier supplier =
new AssumeRoleWithWebIdentityRequestSupplier(request,
credentialProperties.webIdentityTokenFile());
this.credentialsProvider =
StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
.stsClient(stsClient)
.refreshRequest(supplier)
.build();
}
@Test(timeout = 10_000)
public void canBeEnabledViaProfileOnOverrideConfiguration() throws InterruptedException {
ExecutionInterceptor interceptor = Mockito.spy(AbstractExecutionInterceptor.class);
String profileFileContent =
"[default]\n" +
"aws_endpoint_discovery_enabled = true";
ProfileFile profileFile = ProfileFile.builder()
.type(ProfileFile.Type.CONFIGURATION)
.content(new StringInputStream(profileFileContent))
.build();
DynamoDbClient dynamoDb = DynamoDbClient.builder()
.region(Region.US_WEST_2)
.credentialsProvider(AnonymousCredentialsProvider.create())
.overrideConfiguration(c -> c.defaultProfileFile(profileFile)
.defaultProfileName("default")
.addExecutionInterceptor(interceptor)
.retryPolicy(r -> r.numRetries(0)))
.build();
assertThatThrownBy(dynamoDb::listTables).isInstanceOf(SdkException.class);
ArgumentCaptor<Context.BeforeTransmission> context;
do {
Thread.sleep(1);
context = ArgumentCaptor.forClass(Context.BeforeTransmission.class);
Mockito.verify(interceptor, atLeastOnce()).beforeTransmission(context.capture(), any());
} while (context.getAllValues().size() < 2);
assertThat(context.getAllValues()
.stream()
.anyMatch(v -> v.httpRequest()
.firstMatchingHeader("X-Amz-Target")
.map(h -> h.equals("DynamoDB_20120810.DescribeEndpoints"))
.orElse(false)))
.isTrue();
}
@Test
public void invalidS3ArnRegionAtRequestGivesHelpfulMessage() {
S3Client client = S3Client.builder()
.region(Region.of("us-east-1"))
.credentialsProvider(AnonymousCredentialsProvider.create())
.serviceConfiguration(c -> c.useArnRegionEnabled(true))
.build();
assertThatThrownBy(() -> client.getObject(r -> r.bucket("arn:aws:s3:US_EAST_1:123456789012:accesspoint/test")
.key("test")))
.isInstanceOf(SdkClientException.class)
.hasMessageContaining("US_EAST_1")
.hasMessageContaining("region");
}
@Test
public void invalidS3PresignerArnRegionAtRequestGivesHelpfulMessage() {
S3Presigner presigner = S3Presigner.builder()
.region(Region.of("us-east-1"))
.credentialsProvider(AnonymousCredentialsProvider.create())
.serviceConfiguration(S3Configuration.builder().useArnRegionEnabled(true).build())
.build();
String arn = "arn:aws:s3:US_EAST_1:123456789012:accesspoint/test";
assertThatThrownBy(() -> presigner.presignGetObject(r -> r.getObjectRequest(g -> g.bucket(arn).key("test"))
.signatureDuration(Duration.ofMinutes(15))))
.isInstanceOf(SdkClientException.class)
.hasMessageContaining("US_EAST_1")
.hasMessageContaining("region");
}
@Test
public void specifiedInOverrideConfig_shouldUse() {
ExecutionInterceptor interceptor = Mockito.spy(AbstractExecutionInterceptor.class);
String profileFileContent =
"[default]\n" +
"s3_use_arn_region = true\n";
ProfileFile profileFile = ProfileFile.builder()
.type(ProfileFile.Type.CONFIGURATION)
.content(new StringInputStream(profileFileContent))
.build();
S3Client s3 = S3Client.builder()
.region(Region.US_WEST_2)
.credentialsProvider(AnonymousCredentialsProvider.create())
.overrideConfiguration(c -> c.defaultProfileFile(profileFile)
.defaultProfileName("default")
.addExecutionInterceptor(interceptor)
.retryPolicy(r -> r.numRetries(0)))
.build();
String arn = "arn:aws:s3:us-banana-46:12345567890:accesspoint:foo";
assertThatThrownBy(() -> s3.getObject(r -> r.bucket(arn).key("bar"))).isInstanceOf(SdkException.class);
ArgumentCaptor<Context.BeforeTransmission> context = ArgumentCaptor.forClass(Context.BeforeTransmission.class);
Mockito.verify(interceptor).beforeTransmission(context.capture(), any());
String host = context.getValue().httpRequest().host();
assertThat(host).contains("us-banana-46");
}
@Test
public void invalidClientRegionGivesHelpfulMessage() {
assertThatThrownBy(() -> ProtocolRestJsonClient.builder()
.region(Region.of("US_EAST_1"))
.credentialsProvider(AnonymousCredentialsProvider.create())
.build())
.isInstanceOf(SdkClientException.class)
.hasMessageContaining("US_EAST_1")
.hasMessageContaining("region");
}
/**
* Tests that if passed anonymous credentials, signer will not generate a signature.
*/
@Test
public void testAnonymous() throws Exception {
AwsCredentials credentials = AnonymousCredentialsProvider.create().resolveCredentials();
SdkHttpFullRequest request = generateBasicRequest().build();
SignerTestUtils.signRequest(signer, request, credentials, "demo", signingOverrideClock, "us-east-1");
assertNull(request.headers().get("Authorization"));
}
private AwsClientBuilder<TestClientBuilder, TestClient> testClientBuilder() {
ClientOverrideConfiguration overrideConfig =
ClientOverrideConfiguration.builder()
.putAdvancedOption(SIGNER, TEST_SIGNER)
.putAdvancedOption(ENABLE_DEFAULT_REGION_DETECTION, false)
.build();
return new TestClientBuilder().credentialsProvider(AnonymousCredentialsProvider.create())
.overrideConfiguration(overrideConfig);
}
private AwsClientBuilder<TestAsyncClientBuilder, TestAsyncClient> testAsyncClientBuilder() {
ClientOverrideConfiguration overrideConfig =
ClientOverrideConfiguration.builder()
.putAdvancedOption(SIGNER, TEST_SIGNER)
.putAdvancedOption(ENABLE_DEFAULT_REGION_DETECTION, false)
.build();
return new TestAsyncClientBuilder().credentialsProvider(AnonymousCredentialsProvider.create())
.overrideConfiguration(overrideConfig);
}
private S3RandomAccessFile(String url) throws IOException {
super(url, s3BufferSize, s3MaxReadCacheSize);
// Region is tricky. Since we are using AWS SDK to manage connections to all object stores, we might have users
// who use netCDF-Java and never touch AWS. If that's they case, they likely have not setup a basic credentials or
// configuration file, and thus lack a default region. What we will do here is check to see if there is one set.
// If, by the time we make the client, profileRegion isn't set, we will default to the AWS_GLOBAL region, which is
// like a no-op region when it comes to S3. This will allow requests to non-AWS-S3 object stores to work, because
// a region must be set, even if it's useless.
Optional<Region> profileRegion = ProfileFile.defaultProfileFile().profile("default")
.map(p -> p.properties().get(ProfileProperty.REGION)).map(Region::of);
try {
uri = new CdmS3Uri(url);
} catch (URISyntaxException urie) {
// If we are given a string that is not a valid CdmS3Uri
// throw an IOException
throw new IOException(urie.getCause());
}
Builder httpConfig = ApacheHttpClient.builder().maxConnections(maxConnections)
.connectionTimeout(Duration.ofMillis(connectionTimeout)).socketTimeout(Duration.ofMillis(socketTimeout));
S3ClientBuilder s3ClientBuilder = S3Client.builder().httpClientBuilder(httpConfig);
// if we are accessing an S3 compatible service, we need to override the server endpoint
uri.getEndpoint().ifPresent(s3ClientBuilder::endpointOverride);
// build up a chain of credentials providers
AwsCredentialsProviderChain.Builder cdmCredentialsProviderChainBuilder = AwsCredentialsProviderChain.builder();
// if uri has a profile name, we need setup a credentials provider to look for potential credentials, and see if a
// region has been set
if (uri.getProfile().isPresent()) {
// get the profile name
String profileName = uri.getProfile().get();
ProfileCredentialsProvider namedProfileCredentials =
ProfileCredentialsProvider.builder().profileName(profileName).build();
// add it to the chain that it is the first thing checked for credentials
cdmCredentialsProviderChainBuilder.addCredentialsProvider(namedProfileCredentials);
// Read the region associated with the profile, if set
// Note: the java sdk does not do this by default
Optional<Region> namedProfileRegion = ProfileFile.defaultProfileFile().profile(profileName)
.map(p -> p.properties().get(ProfileProperty.REGION)).map(Region::of);
// if the named profile has a region, update profileRegion to use it.
if (namedProfileRegion.isPresent()) {
profileRegion = namedProfileRegion;
}
}
// Add the Default Credentials Provider Chain:
// https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html
cdmCredentialsProviderChainBuilder.addCredentialsProvider(DefaultCredentialsProvider.create());
// Add the AnonymousCredentialsProvider last
cdmCredentialsProviderChainBuilder.addCredentialsProvider(AnonymousCredentialsProvider.create());
// build the credentials provider that we'll use
AwsCredentialsProviderChain cdmCredentialsProviderChain = cdmCredentialsProviderChainBuilder.build();
// Add the credentials provider to the client builder
s3ClientBuilder.credentialsProvider(cdmCredentialsProviderChain);
// Set the region for the client builder (default to AWS_GLOBAL)
s3ClientBuilder.region(profileRegion.orElse(Region.AWS_GLOBAL));
// Build the client
client = s3ClientBuilder.build();
// request HEAD for the object
HeadObjectRequest headdObjectRequest =
HeadObjectRequest.builder().bucket(uri.getBucket()).key(uri.getKey()).build();
objectHeadResponse = client.headObject(headdObjectRequest);
}
public ProtocolRestJsonClientBuilder syncClientBuilder() {
return ProtocolRestJsonClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(AnonymousCredentialsProvider.create());
}
public ProtocolRestJsonAsyncClientBuilder asyncClientBuilder() {
return ProtocolRestJsonAsyncClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(AnonymousCredentialsProvider.create());
}