Allow to specify the STS endpoint for hive connector on S3

[clemensvonschwerin]

Description

Allow to specify the STS endpoint for hive connector on S3

Is this change a fix, improvement, new feature, refactoring, or other?

Improvement.

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)

Hive/Iceberg/Delta connectors

How would you describe this change to a non-technical end user or system administrator?

Allow to specify the STS endpoint for hive connector on S3

Documentation

(x) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.

Release notes

() No release notes entries required.
(x) Release notes entries required with the following suggested text:

# Hive/Iceberg/Delta connectors
* Allow specifying STS endpoint to be used when connecting to S3. ({issue}`10169`)

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[kokosing]

Can you please explain what is the use case for this? Also how have you tested it?

[cvs-mckinsey]

Can you please explain what is the use case for this? Also how have you tested it?

The use case for this is using a third-party s3 / AWS service provider such as minio in your setup, but still depending on STS to get temporary credentials.
I tested this manually using s3 and sts provided by minio. In case trino.sts.endpoint or trino.sts.region are not set nothing changes, I only took the liberty to update the deprecated method of adding credentials with the new recommended way according to AWS documentation.
If there is any way for an automated test please let me know.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[alexjo2144]

If stsRegionOverwrite is set but stsEndpointOverwrite is not it looks like we want to call stsClientBuilder.withRegion

[cvs-mckinsey]

Good point, I will update that

[alexjo2144]

Suggested change

	if (stsEndpointOverwrite != null && stsRegionOverwrite != null) {
	if (!isNullOrEmpty(stsEndpointOverwrite)l && !isNullOrEmpty(stsRegionOverwrite)) {

[cvs-mckinsey]

Looks good, I will update that

[alexjo2144]

I'd format this block a bit differently, withLongLivedCredentialsProvider is also deprecated so using AWSSecurityTokenServiceClientBuilder is preferred in all cases:

String stsEndpointOverwrite = conf.get(STS_ENDPOINT);
String stsRegionOverwrite = conf.get(STS_REGION);

AWSSecurityTokenServiceClientBuilder stsClient = ...
    .withCredentials(provider);

if (<both overrides are set>) {
    stsClient.withEndpointConfiguration(...);
}
else if (<region is set>) {
    stsClient.withRegion(...);
}

provider = new STSAssumeRoleSessionCredentialsProvider.Builder(iamRole, "trino-session")
    .with(<all the common properties>);
    .withStsClient(stsClient.build())
    .build();

[cvs-mckinsey]

I thought the same and wanted to get rid of the deprecated withLongLivedCredentialsProvider as well, but that resulted in errors in TrinoS3FileSystemTest: com.amazonaws.SdkClientException: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.

So the question is: fix the tests setup or stay with the deprecated method (or use a option I have not thought of) ?

[alexjo2144]

You probably need to use the default region provider chain, and if that comes up empty use us-east-1

[cvs-mckinsey]

Good point, I updated the PR accordingly

[cvs-mckinsey]

@alexjo2144 thank you very much for your review. I will try to update the PR tomorrow based on your suggestions and I am looking forward to your answer to my question.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cvs-mckinsey]

@alexjo2144 @electrum @kokosing hey guys, I hope you had a fantastic Christmas time and started well in the new year 2022. Would be great if you would find the time to check this PR again since all of the checks are passing now. Thank you!

[losipiuk]

I think we should throw here instead hard-coding failover to us-east-1

[cvs-mckinsey]

Thank you for looking into the PR. Your review directly contradicts @alexjo2144 's review comment earlier on, unfortunately. I am really okay with both, I would just like to know which way to take to get this PR approved.

[alexjo2144]

For what it's worth, we default to us-east-1 when creating the AmazonS3 client object: https://github.com/trinodb/trino/blob/master/plugin/trino-hive/src/main/java/io/trino/plugin/hive/s3/TrinoS3FileSystem.java#L885

[losipiuk]

fair :)

[losipiuk]

As these are used only for accessing S3 I would use trino.s3.sts.endpoint/region. And S3_STS_* as constant names.

[cvs-mckinsey]

Makes sense to me, will update as soon as I know how to proceed regarding your first comment.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[losipiuk]

nit: Overwrite -> Override

[losipiuk]

log as WARN

[losipiuk]

LGTM. @clemensvonschwerin did you have a chance to test it. I do not belive it is covered with automated tests.
@alexjo2144 can you please take another look?

[alexjo2144]

Mostly style nits, one real question.

@losipiuk This needs a Trino based mirror PR to run the S3 tests right?

[alexjo2144]

You can inline the first two lines

Suggested change

	AWSSecurityTokenServiceClientBuilder stsClientBuilder =
	AWSSecurityTokenServiceClientBuilder.standard()
	.withCredentials(provider);
	AWSSecurityTokenServiceClientBuilder stsClientBuilder = AWSSecurityTokenServiceClientBuilder.standard()
	.withCredentials(provider);

[alexjo2144]

I'd also move this down to right before it's used

[alexjo2144]

No need to wrap this line

Suggested change

	DefaultAwsRegionProviderChain regionProviderChain =
	new DefaultAwsRegionProviderChain();
	DefaultAwsRegionProviderChain regionProviderChain = new DefaultAwsRegionProviderChain();

[alexjo2144]

Here too

Suggested change

	stsClientBuilder.withEndpointConfiguration(
	new EndpointConfiguration(stsEndpointOverwrite, region));
	stsClientBuilder.withEndpointConfiguration(new EndpointConfiguration(stsEndpointOverwrite, region));

[alexjo2144]

I'm not super familiar with the need for STS region/endpoint overrides. Is it only ever useful when an IAM role is used, or could it also be used without a role?

[cvs-mckinsey]

Since STS service is used to assume a specific IAM role and get temporary credentials for that role I do not see any use case without setting an IAM role.

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@trino.io. For more information, see https://github.com/trinodb/cla.

[cvs-mckinsey]

LGTM. @clemensvonschwerin did you have a chance to test it. I do not belive it is covered with automated tests. @alexjo2144 can you please take another look?

So an older version of this PR has been running on our dev and production trino instances for a while and works without issues. The combination of Trino and S3 & STS on Minio for our dev systems is possible that way.

[losipiuk]

@losipiuk This needs a Trino based mirror PR to run the S3 tests right?

#11461

[losipiuk]

@losipiuk This needs a Trino based mirror PR to run the S3 tests right?

#11461

passed

[losipiuk]

@clemensvonschwerin Please also add documentation to hive-s3.rst

[cvs-mckinsey]

@clemensvonschwerin Please also add documentation to hive-s3.rst

@losipiuk sure, I updated hive-s3.rst. Is there anything else I would need to do before we can get this merged ?

[losipiuk]

@clemensvonschwerin Please also add documentation to hive-s3.rst

@losipiuk sure, I updated hive-s3.rst. Is there anything else I would need to do before we can get this merged ?

No. other than that I think it is good to go. But please fix the doc error :)

[losipiuk]

I updated myself - lets wait for CI.