-
Notifications
You must be signed in to change notification settings - Fork 995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AWS SSO authentication and option aws_home_dir (s3fs-fuse#1931) #2165
base: master
Are you sure you want to change the base?
Conversation
This reverts commit 50b9251.
@darioackermann First of all, I don't think there is any processing when the SSO session token expires, but will it be updated outside of s3fs? The openssl code (SHA1) should be implemented in a separate file. I use nlohmann-json as my JSON parser, but I don't want to use it because it deviates from c++03 (I know it's old). Thanks for your help. |
No worries!
No, there is no processing when the token is expires. SSO tokens need to be renewed manually, by the user, by running
I see no other way of integrating the SSO feature otherwise, as there is no way to automatically renew the token. I have not yet tested what happens when the token expires, but the user would notice since the share is unavailable then (?)
AWS SSO sessions last 8 hours I believe.
Generally, most of this MR is not my work, I have only resolved the conflicts and made most integration tests work (and cppcheck happy). I haven't changed anything in the logic. Regarding the JSON header: I understand it raises the bar, I have only seen this comment in the other MR and assumed it was fine: https://github.com/s3fs-fuse/s3fs-fuse/pull/1932/files#r901044187 . If we're able to find a JSON parser that supports the c++03 standard that'd be an alternative, but a yaml parser won't work since the SSO tokens are stored in JSON format. |
@darioackermann Thenks for your reply. Regarding SSO support, I think @sqlbot's comment in the previous PR makes sense, and I also agree with him.
Since s3fs usually runs on the server-side(background), I don't think the user will notice it easily if the token expires. It would be useful if there was another application(i don't know if it exists) that would notice the SSO token update and automatically redo the SSO login. @gaul Please let me discuss in this PR whether this AWS SSO support should be done or not. NOTEIf we proceed with this PR(if we decide to support SSO), I would like you to make the following modifications to the source code.
|
Yes: Auth by SSO is definitely not a server side feature and nothing that will work on an unmonitored system. But that's what EC2 roles are for for example. Again: This is definitely an end-user feature: we'd like to follow AWS best practice and only generate IAM keys where really needed. We would want to avoid having IAM keys laying around for S3 access.
You mean initiate the SSO login? There's always at least a manual click required (if the user is already logged in at AWS) Automating the whole process would mean that we'd somehow have to store the credentials what is not the point of it..
Thanks for the clarification, got misled by the library name :)) |
Second thought: it would be nice to have a possibility to inform the user about the expired SSO token, but I don't really see a way that can be used? |
@darioackermann Thanks for your reply. However, the problem with expiring tokens is still that the cause of the error is hidden for the end user. As you know, when the SSO token expires, s3fs tries to use that token and fails. It would be nice if there was some way to do it, but if this feature were built in, it would likely cause more confusion when the token expires than the inconvenience of not being able to use SSO token. |
If the credentials expire, it's the same as the drive failing or being hot-removed. This feature is necessary for a lot of people, I see no harm in adding it. If you don't like the concept of temporary credentials, just use permanent ones instead. |
I am a bit confused why we are discussing whether this shall be added or not.
As @mgaunard said, nobody is forced to use temporary SSO credentials. But, unlike permanent credentials (which AWS boos at), temporary SSO credentials are best practise. I am happy to change the currently used libraries to the alternatives suggested, but only if there is some sort of guarantee that this feature makes it into s3fs-fuse. |
Hei,
This is not the case at least for me, I use s3fs-fuse to browse files on S3 from my computer. I think it's a valid use case, and kindly ask you to reconsider merging this, @ggtakec 🙏 |
There should be no need for using additional libraries when using the I am still willing to make the needed adjustments, but haven't heard back that this PR will be merged eventually. |
@darioackermann If I run it without the plugin (after Edit: The command I'm running is s3fs <BUCKET_NAME> ./mountdir/ -o use_cache=true |
Hi, I wanted to ping this as another user invested in this as an option. I want to use s3fs on my development machine and keep using SSO for auth. I understand that FUSE cannot report detailed errors, but you get used to having to reauth every morning and that errors you experience before then have a clear cause. |
Relevant Issue (if applicable)
#1931
already open MR: #1932
Details
This is not very different from #1932
I have made the integration tests work (except for centos and rockylinux, for which the header is not available as package - what should we do there?) and adjusted stuff such that cppcheck doesn't complain, and resolved merge conflicts.
We could default that SSO support is not enabled automatically for centos/rockylinux builds. (and add a flag for enabling it).