Add support for S3 WebIdentity authentication

Author: imsayari404

presto-docs/src/main/sphinx/connector/hive.rst

@@ -371,6 +371,13 @@ Property Name                                Description
 ``hive.s3.skip-glacier-objects``             Ignore Glacier objects rather than failing the query. This
                                              will skip data that may be expected to be part of the table
                                              or partition. Defaults to ``false``.
+
+``hive.s3.web.identity.auth.enabled``        Enables Web Identity authentication for S3 access. Requires
+                                             ``hive.s3.iam-role`` to be specified. Additionally, ensure that
+                                             the environment variables ``AWS_WEB_IDENTITY_TOKEN_FILE`` and
+                                             ``AWS_REGION`` are set for proper authentication. Since this
+                                             implementation uses AWS SDK 1.x, setting these environment
+                                             variables is necessary.
 ============================================ =================================================================
 
 S3 Credentials

presto-hive/src/main/java/com/facebook/presto/hive/s3/HiveS3Config.java

@@ -61,6 +61,20 @@ public class HiveS3Config
     private String s3UserAgentPrefix = "";
     private PrestoS3AclType s3AclType = PrestoS3AclType.PRIVATE;
     private boolean skipGlacierObjects;
+    private boolean s3WebIdentityEnabled;
+
+    public boolean isS3WebIdentityEnabled()
+    {
+        return s3WebIdentityEnabled;
+    }
+
+    @Config("hive.s3.web.identity.auth.enabled")
+    @ConfigDescription("Enable web identity token authentication for assuming an AWS IAM role")
+    public HiveS3Config setS3WebIdentityEnabled(boolean s3WebIdentityEnabled)
+    {
+        this.s3WebIdentityEnabled = s3WebIdentityEnabled;
+        return this;
+    }
 
     public String getS3AwsAccessKey()
     {

presto-hive/src/main/java/com/facebook/presto/hive/s3/PrestoS3ConfigurationUpdater.java

@@ -52,6 +52,7 @@ public class PrestoS3ConfigurationUpdater
     private final String userAgentPrefix;
     private final PrestoS3AclType aclType;
     private boolean skipGlacierObjects;
+    private final boolean webIdentityEnabled;
 
     @Inject
     public PrestoS3ConfigurationUpdater(HiveS3Config config)
@@ -84,6 +85,7 @@ public PrestoS3ConfigurationUpdater(HiveS3Config config)
         this.userAgentPrefix = config.getS3UserAgentPrefix();
         this.aclType = config.getS3AclType();
         this.skipGlacierObjects = config.isSkipGlacierObjects();
+        this.webIdentityEnabled = config.isS3WebIdentityEnabled();
     }
 
     @Override
@@ -124,6 +126,7 @@ public void updateConfiguration(Configuration config)
         if (sseKmsKeyId != null) {
             config.set(S3_SSE_KMS_KEY_ID, sseKmsKeyId);
         }
+        config.setBoolean(S3_WEB_IDENTITY_ENABLED, webIdentityEnabled);
         config.setInt(S3_MAX_CLIENT_RETRIES, maxClientRetries);
         config.setInt(S3_MAX_ERROR_RETRIES, maxErrorRetries);
         config.set(S3_MAX_BACKOFF_TIME, maxBackoffTime.toString());

presto-hive/src/main/java/com/facebook/presto/hive/s3/PrestoS3FileSystem.java

@@ -24,6 +24,7 @@
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
 import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
+import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
 import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
 import com.amazonaws.event.ProgressEvent;
 import com.amazonaws.event.ProgressEventType;
@@ -136,6 +137,7 @@
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USER_AGENT_PREFIX;
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USER_AGENT_SUFFIX;
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USE_INSTANCE_CREDENTIALS;
+import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_WEB_IDENTITY_ENABLED;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkPositionIndexes;
 import static com.google.common.base.Strings.isNullOrEmpty;
@@ -196,6 +198,7 @@ public class PrestoS3FileSystem
     private PrestoS3AclType s3AclType;
     private boolean skipGlacierObjects;
     private PrestoS3StorageClass s3StorageClass;
+    private boolean webIdentityEnabled;
 
     @Override
     public void initialize(URI uri, Configuration conf)
@@ -237,7 +240,8 @@ public void initialize(URI uri, Configuration conf)
         String userAgentPrefix = conf.get(S3_USER_AGENT_PREFIX, defaults.getS3UserAgentPrefix());
         this.skipGlacierObjects = conf.getBoolean(S3_SKIP_GLACIER_OBJECTS, defaults.isSkipGlacierObjects());
         this.s3StorageClass = conf.getEnum(S3_STORAGE_CLASS, defaults.getS3StorageClass());
-
+        this.webIdentityEnabled = conf.getBoolean(S3_WEB_IDENTITY_ENABLED, false);
+        checkArgument(!(webIdentityEnabled && isNullOrEmpty(s3IamRole)), "Invalid configuration: hive.s3.iam-role must be provided when hive.s3.web.identity.auth.enabled is set to true");
         ClientConfiguration configuration = new ClientConfiguration()
                 .withMaxErrorRetry(maxErrorRetries)
                 .withProtocol(sslEnabled ? Protocol.HTTPS : Protocol.HTTP)
@@ -854,8 +858,17 @@ private AWSCredentialsProvider createAwsCredentialsProvider(URI uri, Configurati
             return InstanceProfileCredentialsProvider.getInstance();
         }
 
-        if (s3IamRole != null) {
-            return new STSAssumeRoleSessionCredentialsProvider.Builder(s3IamRole, s3IamRoleSessionName).build();
+        if (!isNullOrEmpty(s3IamRole)) {
+            if (webIdentityEnabled) {
+                log.debug("Using Web Identity Token Credentials Provider.");
+                WebIdentityTokenCredentialsProvider.Builder providerBuilder = WebIdentityTokenCredentialsProvider.builder()
+                        .roleArn(s3IamRole)
+                        .roleSessionName(s3IamRoleSessionName);
+                return providerBuilder.build();
+            }
+            log.debug("Using STS Assume Role Session Credentials Provider.");
+            return new STSAssumeRoleSessionCredentialsProvider.Builder(s3IamRole, s3IamRoleSessionName)
+                    .build();
         }
 
         String providerClass = conf.get(S3_CREDENTIALS_PROVIDER);

presto-hive/src/main/java/com/facebook/presto/hive/s3/S3ConfigurationUpdater.java

@@ -28,6 +28,7 @@ public interface S3ConfigurationUpdater
     String S3_PIN_CLIENT_TO_CURRENT_REGION = "presto.s3.pin-client-to-current-region";
     String S3_USE_INSTANCE_CREDENTIALS = "presto.s3.use-instance-credentials";
     String S3_IAM_ROLE = "presto.hive.s3.iam-role";
+    String S3_WEB_IDENTITY_ENABLED = "presto.hive.s3.web.identity.auth.enabled";
     String S3_IAM_ROLE_SESSION_NAME = "presto.hive.s3.iam-role-session-name";
     String S3_MULTIPART_MIN_PART_SIZE = "presto.s3.multipart.min-part-size";
     String S3_MULTIPART_MIN_FILE_SIZE = "presto.s3.multipart.min-file-size";

presto-hive/src/test/java/com/facebook/presto/hive/s3/TestHiveS3Config.java

@@ -41,6 +41,7 @@ public void testDefaults()
                 .setS3PathStyleAccess(false)
                 .setS3UseInstanceCredentials(false)
                 .setS3IamRole(null)
+                .setS3WebIdentityEnabled(false)
                 .setS3StorageClass(PrestoS3StorageClass.STANDARD)
                 .setS3IamRoleSessionName("presto-session")
                 .setS3SslEnabled(true)
@@ -76,6 +77,7 @@ public void testExplicitPropertyMappings()
                 .put("hive.s3.path-style-access", "true")
                 .put("hive.s3.use-instance-credentials", "true")
                 .put("hive.s3.iam-role", "roleArn")
+                .put("hive.s3.web.identity.auth.enabled", "true")
                 .put("hive.s3.storage-class", "INTELLIGENT_TIERING")
                 .put("hive.s3.iam-role-session-name", "roleSessionName")
                 .put("hive.s3.ssl.enabled", "false")
@@ -108,6 +110,7 @@ public void testExplicitPropertyMappings()
                 .setS3PathStyleAccess(true)
                 .setS3UseInstanceCredentials(true)
                 .setS3IamRole("roleArn")
+                .setS3WebIdentityEnabled(true)
                 .setS3StorageClass(PrestoS3StorageClass.INTELLIGENT_TIERING)
                 .setS3IamRoleSessionName("roleSessionName")
                 .setS3SslEnabled(false)

presto-hive/src/test/java/com/facebook/presto/hive/s3/TestPrestoS3FileSystem.java

@@ -21,6 +21,7 @@
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
 import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
+import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
 import com.amazonaws.services.s3.AmazonS3Client;
 import com.amazonaws.services.s3.AmazonS3EncryptionClient;
 import com.amazonaws.services.s3.S3ClientOptions;
@@ -86,6 +87,7 @@
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USER_AGENT_PREFIX;
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USER_AGENT_SUFFIX;
 import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_USE_INSTANCE_CREDENTIALS;
+import static com.facebook.presto.hive.s3.S3ConfigurationUpdater.S3_WEB_IDENTITY_ENABLED;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.io.MoreFiles.deleteRecursively;
 import static com.google.common.io.RecursiveDeleteOption.ALLOW_INSECURE;
@@ -98,6 +100,7 @@
 import static org.testng.Assert.assertFalse;
 import static org.testng.Assert.assertNull;
 import static org.testng.Assert.assertTrue;
+import static org.testng.Assert.expectThrows;
 
 public class TestPrestoS3FileSystem
 {
@@ -147,6 +150,37 @@ public void testEndpointWithPinToCurrentRegionConfiguration()
         }
     }
 
+    @Test
+    public void testWebIdentityTokenCredentials()
+            throws Exception
+    {
+        Configuration config = new Configuration();
+        config.set(S3_IAM_ROLE, "role");
+        config.setBoolean(S3_WEB_IDENTITY_ENABLED, true);
+
+        try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
+            fs.initialize(new URI("s3n://test-bucket/"), config);
+            assertInstanceOf(getAwsCredentialsProvider(fs), WebIdentityTokenCredentialsProvider.class);
+        }
+    }
+
+    @Test
+    public void testWebIdentityEnabledWithoutIamRole()
+    {
+        Configuration config = new Configuration();
+        config.setBoolean(S3_WEB_IDENTITY_ENABLED, true);
+        // S3_IAM_ROLE is NOT set (invalid case)
+
+        IllegalArgumentException exception = expectThrows(IllegalArgumentException.class, () -> {
+            try (PrestoS3FileSystem fs = new PrestoS3FileSystem()) {
+                fs.initialize(new URI("s3n://test-bucket/"), config);
+            }
+        });
+
+        assertEquals("Invalid configuration: hive.s3.iam-role must be provided when hive.s3.web.identity.auth.enabled is set to true",
+                exception.getMessage());
+    }
+
     @Test
     public void testAssumeRoleCredentials()
             throws Exception