Skip to content

Deprecated: Role-based S3 access #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 8, 2025
Merged

Deprecated: Role-based S3 access #688

merged 12 commits into from
Apr 8, 2025

Conversation

zvonand
Copy link
Collaborator

@zvonand zvonand commented Mar 17, 2025
edited
Loading

Succeeded by #875, this one is no longer needed to be forwardported

Implement role-based S3 access.

If extra_credentials(role_arn=...) is provided, temporary credentials are requested from AWS STS and used to access S3. AWS credentials (access_key_id, secret_access_key, and optionally session_token) must be provided to assume the role.

Changelog category (leave one):

  • New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Added AWS IAM role assumption in s3 table function when explicit AWS credentials are specified and extra_credentials argument contains roleARN.

Documentation entry for user-facing changes

@altinity-robot
Copy link
Collaborator

altinity-robot commented Mar 17, 2025
edited
Loading

This is an automated comment for commit 2ec2527 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check nameDescriptionStatus
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests❌ failure
Regression aarch64 Tiered Storage s3amazonThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS❌ failure
Regression aarch64 Tiered Storage s3gcsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS❌ failure
Sign aarch64There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS❌ error
Sign releaseThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS❌ error
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc❌ failure
Stress testRuns stateless functional tests concurrently from several clients to detect concurrency-related errors❌ failure
Successful checks
Check nameDescriptionStatus
BuildsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker keeper imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docker server imageThe check to build and optionally push the mentioned image to docker hub✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success
Ready for releaseThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Alter attach partitionThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Alter move partitionThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Alter replace partitionThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Benchmark aws_s3There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Benchmark gcsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Benchmark minioThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Clickhouse Keeper SSLThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 LDAP authenticationThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 LDAP external_user_directoryThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 LDAP role_mappingThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Parquet aws_s3There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Parquet minioThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 ParquetThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 S3 azureThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 S3 gcsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 S3 minioThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 Tiered Storage minioThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 aes_encryptionThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 atomic_insertThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 base_58There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 clickhouse_keeperThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 data_typesThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 datetime64_extended_rangeThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 disk_level_encryptionThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 dnsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 enginesThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 exampleThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 extended_precision_data_typesThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 kafkaThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 kerberosThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 key_valueThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 lightweight_deleteThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 memoryThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 part_moves_between_shardsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 selectsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 session_timezoneThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 tiered_storageThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Regression aarch64 window_functionsThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success

@zvonand zvonand force-pushed the s3-roles branch 3 times, most recently from d77fbad to 5f8ae4c Compare March 20, 2025 08:07
@zvonand zvonand marked this pull request as ready for review March 22, 2025 13:33
ianton-ru
ianton-ru reviewed Mar 24, 2025
View reviewed changes
ianton-ru
ianton-ru previously approved these changes Apr 6, 2025
View reviewed changes
@MyroTk MyroTk added the antalya-25.2.2 Planned for 25.2.2 release label Apr 7, 2025
@Enmk Enmk merged commit 493f4c7 into antalya Apr 8, 2025
223 of 316 checks passed
zvonand pushed a commit that referenced this pull request May 23, 2025
@Enmk @zvonand
Merge pull request #688 from Altinity/s3-roles
db183de 
Role-based S3 access
@svb-alt svb-alt mentioned this pull request May 24, 2025
Open
36 tasks
@pkit
Copy link

pkit commented May 30, 2025

Cool, but not really usable in cross-account scenarios without external-id support.

@zvonand
Copy link
Collaborator Author

zvonand commented May 31, 2025

Already working on improvement

Enmk added a commit that referenced this pull request Jun 2, 2025
@Enmk
Merge pull request #803 from Altinity/forwardports/688-antalya-25.3.3.42
e6085ac 
25.3 Antalya port of #688 - Role-based S3 access
@zvonand zvonand mentioned this pull request Jul 2, 2025
Closed
13 tasks
@svb-alt svb-alt mentioned this pull request Jul 12, 2025
Open
zvonand pushed a commit that referenced this pull request Jul 14, 2025
@Enmk @zvonand
Merge pull request #688 from Altinity/s3-roles
f668e30 
Role-based S3 access
@zvonand zvonand added duplicate This issue or pull request already exists and removed antalya antalya-25.2 labels Jul 14, 2025
@zvonand zvonand changed the title Role-based S3 access Deprecated: Role-based S3 access Jul 14, 2025
zvonand pushed a commit that referenced this pull request Jul 16, 2025
@Enmk @zvonand
Merge pull request #688 from Altinity/s3-roles
0c1e13f 
Role-based S3 access
Enmk added a commit that referenced this pull request Aug 6, 2025
@Enmk
Fied some of the Integration tests
04fcc75 
By reverting those back to upstream/25.6 variant.
Those are related to the features that were not merged yet and hence fail:
 - integration/test_s3_assume_role/test.py - was added by #688
 - integration/test_mask_sensitive_info/test.py - was added by #675
 - integration/test_s3_cache_locality/test.py - was added by #763
Enmk added a commit that referenced this pull request Aug 6, 2025
@Enmk
Fied some of the Integration tests
b76d3b0 
By reverting those back to upstream/25.6 variant.
Those are related to the features that were not merged yet and hence fail:
 - integration/test_s3_assume_role/test.py - was added by #688
 - integration/test_mask_sensitive_info/test.py - was added by #675
 - integration/test_s3_cache_locality/test.py - was added by #763
Enmk added a commit that referenced this pull request Aug 6, 2025
@Enmk
Fixed some of the Integration tests
68fefe3 
By reverting those back to upstream/25.6 variant.
Those are related to the features that were not merged yet and hence fail:
 - integration/test_s3_assume_role/test.py - was added by #688
 - integration/test_mask_sensitive_info/test.py - was added by #675
 - integration/test_s3_cache_locality/test.py - was added by #763
@Enmk Enmk mentioned this pull request Aug 6, 2025
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianton-ru ianton-ru ianton-ru left review comments

Assignees
No one assigned
Labels
antalya-25.2.2 Planned for 25.2.2 release duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@zvonand @altinity-robot @pkit @ianton-ru @Enmk @vzakaznikov @MyroTk