-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[fix](glue)support access glue iceberg with credential list
support access glue and s3 iceberg with credential list support iceberg hadoop catalog on s3 (cherry picked from commit ef85d0d)
- Loading branch information
Showing
16 changed files
with
234 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
{ | ||
"title": "Cloud Service Authentication", | ||
"language": "en" | ||
} | ||
--- | ||
|
||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
--> | ||
|
||
# Overview | ||
|
||
When accessing a service on the cloud, we need to provide the credentials needed to access the service so that the service can be authenticated by IAM of cloud vendors. | ||
|
||
## AWS | ||
|
||
Now Doris support two types of authentication to access AWS service. | ||
|
||
### Catalog Credentials | ||
|
||
The Catalog supports filling in basic Credentials properties, such as: | ||
1. For S3: `s3.endpoint`,`s3.access_key`,`s3.secret_key`。 | ||
2. For Glue: `glue.endpoint`,`glue.access_key`,`glue.secret_key`。 | ||
|
||
When access Glue though Iceberg Catalog, we can access tables on Glue by filling in the following properties: | ||
|
||
```sql | ||
CREATE CATALOG glue PROPERTIES ( | ||
"type"="iceberg", | ||
"iceberg.catalog.type" = "glue", | ||
"glue.endpoint" = "https://glue.us-east-1.amazonaws.com", | ||
"glue.access_key" = "ak", | ||
"glue.secret_key" = "sk" | ||
); | ||
``` | ||
|
||
### System Credentials | ||
|
||
For applications running on AWS resources, such as EC2 instances, this approach enhances security by avoiding hardcoded credentials. | ||
|
||
If we create the Catalog but not fill any Credentials in properties, the `DefaultAWSCredentialsProviderChain` will be used to read in the system environment variables or instance profile. | ||
|
||
For details about how to configure environment variables and system properties, see: [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) . | ||
- The configurable environment variables are: `AWS_ACCESS_KEY_ID`、`AWS_SECRET_ACCESS_KEY`、`AWS_SESSION_TOKEN`、`AWS_ROLE_ARN`、`AWS_WEB_IDENTITY_TOKEN_FILE` and so on. | ||
- In addition, you can also use [aws configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) to configure Credentials, the Credentials file will be written to the `~/.aws` directory. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
{ | ||
"title": "云服务认证接入", | ||
"language": "zh-CN" | ||
} | ||
--- | ||
|
||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
--> | ||
|
||
# 概述 | ||
|
||
当访问云上的服务时,我们需要提供访问服务所需要的凭证,以便服务能够通过各云厂商IAM的认证。 | ||
|
||
## AWS | ||
|
||
现在Doris访问AWS服务时,能够支持两种类型的身份认证。 | ||
|
||
### 使用Catalog属性认证 | ||
|
||
Catalog支持填写基本的Credentials属性,比如: | ||
1. 访问S3时,可以使用s3.endpoint,s3.access_key,s3.secret_key。 | ||
2. 访问Glue时,可以使用glue.endpoint,glue.access_key,glue.secret_key。 | ||
|
||
以Iceberg Catalog访问Glue为例,我们可以填写以下属性访问在Glue上托管的表: | ||
|
||
```sql | ||
CREATE CATALOG glue PROPERTIES ( | ||
"type"="iceberg", | ||
"iceberg.catalog.type" = "glue", | ||
"glue.endpoint" = "https://glue.us-east-1.amazonaws.com", | ||
"glue.access_key" = "ak", | ||
"glue.secret_key" = "sk" | ||
); | ||
``` | ||
|
||
### 使用系统属性认证 | ||
|
||
用于运行在AWS资源(如EC2实例)上的应用程序。可以避免硬编码写入Credentials,能够增强数据安全性。 | ||
|
||
当我们在创建Catalog时,未填写Credentials属性,那么此时会使用DefaultAWSCredentialsProviderChain,它能够读取系统环境变量或者instance profile中配置的属性。 | ||
|
||
配置环境变量和系统属性的方式可以参考:[AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) 。 | ||
- 可以选择的配置的环境变量有:`AWS_ACCESS_KEY_ID`、`AWS_SECRET_ACCESS_KEY`、`AWS_SESSION_TOKEN`、`AWS_ROLE_ARN`、`AWS_WEB_IDENTITY_TOKEN_FILE`等 | ||
- 另外,还可以使用[aws configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)直接配置Credentials信息,同时在`~/.aws`目录下生成credentials文件。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.