Package org.apache.hadoop.fs.s3a.auth.delegation

Class DelegationConstants

java.lang.Object
org.apache.hadoop.fs.s3a.auth.delegation.DelegationConstants
@Public @Unstable public final class DelegationConstants extends Object
All the constants related to delegation tokens. Not in the normal S3 constants while unstable. Where possible, the existing assumed role properties are used to configure STS binding, default ARN, etc. This makes documenting everything that much easier and avoids trying to debug precisely which sts endpoint property should be set. Most settings here are replicated in core-default.xml; the values MUST be kept in sync.

  • Field Details

    • DELEGATION_TOKEN_ENDPOINT

      public static final String DELEGATION_TOKEN_ENDPOINT
      Endpoint for session tokens, used when building delegation tokens: "fs.s3a.assumed.role.sts.endpoint".
      See Also:

    • DEFAULT_DELEGATION_TOKEN_ENDPOINT

      public static final String DEFAULT_DELEGATION_TOKEN_ENDPOINT
      Default endpoint for session tokens: "".
      See Also:

    • DELEGATION_TOKEN_REGION

      public static final String DELEGATION_TOKEN_REGION
      Region for DT issuing; must be non-empty if the endpoint is set: "fs.s3a.assumed.role.sts.endpoint.region".
      See Also:

    • DEFAULT_DELEGATION_TOKEN_REGION

      public static final String DEFAULT_DELEGATION_TOKEN_REGION
      Region default: "".
      See Also:

    • DELEGATION_TOKEN_DURATION

      public static final String DELEGATION_TOKEN_DURATION
      Duration of tokens in time: "fs.s3a.assumed.role.session.duration".
      See Also:

    • DEFAULT_DELEGATION_TOKEN_DURATION

      public static final String DEFAULT_DELEGATION_TOKEN_DURATION
      Default duration of a delegation token: "1h". Must be in the range supported by STS.
      See Also:

    • DELEGATION_TOKEN_CREDENTIALS_PROVIDER

      public static final String DELEGATION_TOKEN_CREDENTIALS_PROVIDER
      Key to list AWS credential providers for Session/role credentials: "fs.s3a.aws.credentials.provider".
      See Also:

    • DELEGATION_TOKEN_ROLE_ARN

      public static final String DELEGATION_TOKEN_ROLE_ARN
      ARN of the delegation token: "fs.s3a.assumed.role.arn". Required for the role token.
      See Also:

    • DELEGATION_TOKEN_BINDING

      public static final String DELEGATION_TOKEN_BINDING
      Property containing classname for token binding: "fs.s3a.delegation.token.binding".
      See Also:

    • DELEGATION_TOKEN_SESSION_BINDING

      public static final String DELEGATION_TOKEN_SESSION_BINDING
      Session Token binding classname: "org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding".
      See Also:

    • DEFAULT_DELEGATION_TOKEN_BINDING

      public static final String DEFAULT_DELEGATION_TOKEN_BINDING
      Default token binding "".
      See Also:

    • DELEGATION_TOKEN_FULL_CREDENTIALS_BINDING

      public static final String DELEGATION_TOKEN_FULL_CREDENTIALS_BINDING
      Token binding to pass full credentials: "org.apache.hadoop.fs.s3a.auth.delegation.FullCredentialsTokenBinding".
      See Also:

    • DELEGATION_TOKEN_ROLE_BINDING

      public static final String DELEGATION_TOKEN_ROLE_BINDING
      Role DTs: "org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding".
      See Also:

    • TOKEN_NAME_PREFIX

      public static final String TOKEN_NAME_PREFIX
      Prefix for token names: "S3ADelegationToken/".
      See Also:

    • SESSION_TOKEN_NAME

      public static final String SESSION_TOKEN_NAME
      Name of session token: "S3ADelegationToken/Session".
      See Also:

    • SESSION_TOKEN_KIND

      public static final Text SESSION_TOKEN_KIND
      Kind of the session token; value is SESSION_TOKEN_NAME.

    • FULL_TOKEN_NAME

      public static final String FULL_TOKEN_NAME
      Name of full token: "S3ADelegationToken/Full".
      See Also:

    • FULL_TOKEN_KIND

      public static final Text FULL_TOKEN_KIND
      Kind of the full token; value is FULL_TOKEN_NAME.

    • ROLE_TOKEN_NAME

      public static final String ROLE_TOKEN_NAME
      Name of role token: "S3ADelegationToken/Role".
      See Also:

    • ROLE_TOKEN_KIND

      public static final Text ROLE_TOKEN_KIND
      Kind of the role token; value is ROLE_TOKEN_NAME.

    • E_NO_SESSION_TOKENS_FOR_ROLE_BINDING

      public static final String E_NO_SESSION_TOKENS_FOR_ROLE_BINDING
      If the token binding auth chain is only session-level auth, you can't use the role binding: "Cannot issue S3A Role Delegation Tokens without full AWS credentials".
      See Also:

    • STS_STANDARD

      public static final String STS_STANDARD
      The standard STS server.
      See Also: