trinodb · electrum · Feb 28, 2024 · Aug 28, 2023 · Feb 28, 2024
diff --git a/docs/src/main/sphinx/connector/hive-s3.md b/docs/src/main/sphinx/connector/hive-s3.md
@@ -186,6 +186,12 @@ The security mapping must provide one or more configuration settings:
 - `allowedKmsKeyIds`: KMS-managed key IDs that are allowed to be specified as an extra
   credential. If list cotains "\*", then any key can be specified via extra credential.
 
+* ``endpoint``: The S3 storage endpoint server. This optional property can be used
+to override S3 endpoints on a per-bucket basis.
+
+* ``region``: The region S3 client should connect to. This optional property can be used
+to override S3 regions on a per-bucket basis.
+
 The security mapping entries are processed in the order listed in the configuration
 JSON. More specific mappings should thus be specified before less specific mappings.
 For example, the mapping list might have URL prefix `s3://abc/xyz/` followed by
@@ -233,10 +239,16 @@ Example JSON configuration:
       "prefix": "s3://special-bucket/",
       "accessKey": "AKIAxxxaccess",
       "secretKey": "iXbXxxxsecret"
+    }, 
+    {
+      "prefix": "s3://regional-bucket/",
+      "iamRole": "arn:aws:iam::123456789101:role/regional-user",
+      "endpoint": "https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com",
+      "region": "us-east-1"
     },
     {
       "prefix": "s3://encrypted-bucket/",
-      "kmsKeyId": "kmsKey_10",
+      "kmsKeyId": "kmsKey_10"
     },
     {
       "user": "test.*",

diff --git a/lib/trino-hdfs/src/main/java/io/trino/hdfs/s3/S3SecurityMapping.java b/lib/trino-hdfs/src/main/java/io/trino/hdfs/s3/S3SecurityMapping.java
@@ -46,6 +46,7 @@ public class S3SecurityMapping
     private final boolean useClusterDefault;
     private final Optional<String> endpoint;
     private final Optional<String> roleSessionName;
+    private final Optional<String> region;
 
     @JsonCreator
     public S3SecurityMapping(
@@ -60,7 +61,8 @@ public S3SecurityMapping(
             @JsonProperty("accessKey") Optional<String> accessKey,
             @JsonProperty("secretKey") Optional<String> secretKey,
             @JsonProperty("useClusterDefault") Optional<Boolean> useClusterDefault,
-            @JsonProperty("endpoint") Optional<String> endpoint)
+            @JsonProperty("endpoint") Optional<String> endpoint,
+            @JsonProperty("region") Optional<String> region)
     {
         this.user = user
                 .map(S3SecurityMapping::toPredicate)
@@ -95,6 +97,7 @@ public S3SecurityMapping(
         checkArgument(!(this.useClusterDefault && this.kmsKeyId.isPresent()), "KMS key ID cannot be provided together with useClusterDefault");
 
         this.endpoint = requireNonNull(endpoint, "endpoint is null");
+        this.region = requireNonNull(region, "region is null");
     }
 
     public boolean matches(ConnectorIdentity identity, URI uri)
@@ -139,6 +142,11 @@ public Optional<String> getEndpoint()
         return endpoint;
     }
 
+    public Optional<String> getRegion()
+    {
+        return region;
+    }
+
     public Optional<String> getRoleSessionName()
     {
         return roleSessionName;
@@ -159,6 +167,7 @@ public String toString()
                 .add("credentials", credentials)
                 .add("useClusterDefault", useClusterDefault)
                 .add("endpoint", endpoint.orElse(null))
+                .add("region", region.orElse(null))
                 .toString();
     }
 

diff --git a/lib/trino-hdfs/src/main/java/io/trino/hdfs/s3/S3SecurityMappingConfigurationProvider.java b/lib/trino-hdfs/src/main/java/io/trino/hdfs/s3/S3SecurityMappingConfigurationProvider.java
@@ -35,6 +35,7 @@
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_ENDPOINT;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_IAM_ROLE;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_KMS_KEY_ID;
+import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_REGION;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_ROLE_SESSION_NAME;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_SECRET_KEY;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -125,6 +126,11 @@ public void updateConfiguration(Configuration configuration, HdfsContext context
             hasher.putString(roleSessionName, UTF_8);
         });
 
+        mapping.getRegion().ifPresent(region -> {
+            configuration.set(S3_REGION, region);
+            hasher.putString(region, UTF_8);
+        });
+
         setCacheKey(configuration, hasher.hash().toString());
     }
 

diff --git a/lib/trino-hdfs/src/test/java/io/trino/hdfs/s3/TestS3SecurityMapping.java b/lib/trino-hdfs/src/test/java/io/trino/hdfs/s3/TestS3SecurityMapping.java
@@ -39,6 +39,7 @@
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_ENDPOINT;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_IAM_ROLE;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_KMS_KEY_ID;
+import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_REGION;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_ROLE_SESSION_NAME;
 import static io.trino.hdfs.s3.TrinoS3FileSystem.S3_SECRET_KEY;
 import static java.util.Objects.requireNonNull;
@@ -238,6 +239,12 @@ public void testMapping()
                 path("s3://endpointbucket/bar"),
                 credentials("AKIAxxxaccess", "iXbXxxxsecret").withEndpoint("http://localhost:7753"));
 
+        // matches prefix -- mapping provides credentials and region
+        assertMapping(
+                provider,
+                path("s3://regionalbucket/bar"),
+                credentials("AKIAxxxaccess", "iXbXxxxsecret").withRegion("us-west-2"));
+
         // matches role session name
         assertMapping(
                 provider,
@@ -293,7 +300,8 @@ public void testMappingWithoutFallback()
     public void testMappingWithoutRoleCredentialsFallbackShouldFail()
     {
         assertThatThrownBy(() ->
-                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()))
+                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(),
+                        Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()))
                 .isInstanceOf(IllegalArgumentException.class)
                 .hasMessage("must either allow useClusterDefault role or provide role and/or credentials");
     }
@@ -305,7 +313,8 @@ public void testMappingWithRoleAndFallbackShouldFail()
         Optional<Boolean> useClusterDefault = Optional.of(true);
 
         assertThatThrownBy(() ->
-                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), iamRole, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), useClusterDefault, Optional.empty()))
+                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), iamRole, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(),
+                        Optional.empty(), Optional.empty(), useClusterDefault, Optional.empty(), Optional.empty()))
                 .isInstanceOf(IllegalArgumentException.class)
                 .hasMessage("must either allow useClusterDefault role or provide role and/or credentials");
     }
@@ -317,7 +326,8 @@ public void testMappingWithEncryptionKeysAndFallbackShouldFail()
         Optional<String> kmsKeyId = Optional.of("CLIENT_S3CRT_KEY_ID");
 
         assertThatThrownBy(() ->
-                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), kmsKeyId, Optional.empty(), Optional.empty(), Optional.empty(), useClusterDefault, Optional.empty()))
+                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), kmsKeyId, Optional.empty(),
+                        Optional.empty(), Optional.empty(), useClusterDefault, Optional.empty(), Optional.empty()))
                 .isInstanceOf(IllegalArgumentException.class)
                 .hasMessage("KMS key ID cannot be provided together with useClusterDefault");
     }
@@ -328,7 +338,8 @@ public void testMappingWithRoleSessionNameWithoutIamRoleShouldFail()
         Optional<String> roleSessionName = Optional.of("iam-trino-session");
 
         assertThatThrownBy(() ->
-                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), roleSessionName, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()))
+                new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), roleSessionName, Optional.empty(), Optional.empty(),
+                        Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()))
                 .isInstanceOf(IllegalArgumentException.class)
                 .hasMessage("iamRole must be provided when roleSessionName is provided");
     }
@@ -350,6 +361,7 @@ private static void assertMapping(DynamicConfigurationProvider provider, Mapping
         assertEquals(configuration.get(S3_KMS_KEY_ID), mappingResult.getKmsKeyId().orElse(null));
         assertEquals(configuration.get(S3_ENDPOINT), mappingResult.getEndpoint().orElse(null));
         assertEquals(configuration.get(S3_ROLE_SESSION_NAME), mappingResult.getRoleSessionName().orElse(null));
+        assertEquals(configuration.get(S3_REGION), mappingResult.getRegion().orElse(null));
     }
 
     private static void assertMappingFails(DynamicConfigurationProvider provider, MappingSelector selector, String message)
@@ -438,22 +450,27 @@ public static class MappingResult
     {
         public static MappingResult credentials(String accessKey, String secretKey)
         {
-            return new MappingResult(Optional.of(accessKey), Optional.of(secretKey), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
+            return new MappingResult(Optional.of(accessKey), Optional.of(secretKey), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
         }
 
         public static MappingResult role(String role)
         {
-            return new MappingResult(Optional.empty(), Optional.empty(), Optional.of(role), Optional.empty(), Optional.empty(), Optional.empty());
+            return new MappingResult(Optional.empty(), Optional.empty(), Optional.of(role), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
         }
 
         public static MappingResult clusterDefaultRole()
         {
-            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
+            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
         }
 
         public static MappingResult endpoint(String endpoint)
         {
-            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(endpoint), Optional.empty());
+            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(endpoint), Optional.empty(), Optional.empty());
+        }
+
+        public static MappingResult region(String region)
+        {
+            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(region));
         }
 
         private final Optional<String> accessKey;
@@ -462,30 +479,38 @@ public static MappingResult endpoint(String endpoint)
         private final Optional<String> kmsKeyId;
         private final Optional<String> endpoint;
         private final Optional<String> roleSessionName;
+        private final Optional<String> region;
 
-        private MappingResult(Optional<String> accessKey, Optional<String> secretKey, Optional<String> role, Optional<String> kmsKeyId, Optional<String> endpoint, Optional<String> roleSessionName)
+        private MappingResult(Optional<String> accessKey, Optional<String> secretKey, Optional<String> role, Optional<String> kmsKeyId, Optional<String> endpoint,
+                Optional<String> roleSessionName, Optional<String> region)
         {
             this.accessKey = requireNonNull(accessKey, "accessKey is null");
             this.secretKey = requireNonNull(secretKey, "secretKey is null");
             this.role = requireNonNull(role, "role is null");
             this.kmsKeyId = requireNonNull(kmsKeyId, "kmsKeyId is null");
             this.endpoint = requireNonNull(endpoint, "endpoint is null");
             this.roleSessionName = requireNonNull(roleSessionName, "roleSessionName is null");
+            this.region = requireNonNull(region, "region is null");
         }
 
         public MappingResult withEndpoint(String endpoint)
         {
-            return new MappingResult(accessKey, secretKey, role, kmsKeyId, Optional.of(endpoint), Optional.empty());
+            return new MappingResult(accessKey, secretKey, role, kmsKeyId, Optional.of(endpoint), Optional.empty(), region);
         }
 
         public MappingResult withKmsKeyId(String kmsKeyId)
         {
-            return new MappingResult(accessKey, secretKey, role, Optional.of(kmsKeyId), endpoint, Optional.empty());
+            return new MappingResult(accessKey, secretKey, role, Optional.of(kmsKeyId), endpoint, Optional.empty(), region);
+        }
+
+        public MappingResult withRegion(String region)
+        {
+            return new MappingResult(accessKey, secretKey, role, kmsKeyId, endpoint, Optional.empty(), Optional.of(region));
         }
 
         public MappingResult withRoleSessionName(String roleSessionName)
         {
-            return new MappingResult(accessKey, secretKey, role, kmsKeyId, Optional.empty(), Optional.of(roleSessionName));
+            return new MappingResult(accessKey, secretKey, role, kmsKeyId, Optional.empty(), Optional.of(roleSessionName), region);
         }
 
         public Optional<String> getAccessKey()
@@ -517,5 +542,10 @@ public Optional<String> getRoleSessionName()
         {
             return roleSessionName;
         }
+
+        public Optional<String> getRegion()
+        {
+            return region;
+        }
     }
 }
diff --git a/lib/trino-hdfs/src/test/resources/io/trino/hdfs/s3/security-mapping.json b/lib/trino-hdfs/src/test/resources/io/trino/hdfs/s3/security-mapping.json
@@ -67,6 +67,12 @@
       "secretKey": "iXbXxxxsecret",
       "endpoint": "http://localhost:7753"
     },
+    {
+      "prefix": "s3://regionalbucket",
+      "accessKey": "AKIAxxxaccess",
+      "secretKey": "iXbXxxxsecret",
+      "region": "us-west-2"
+    },
     {
       "prefix": "s3://somebucket",
       "iamRole": "arn:aws:iam::1234567891012:role/default",