Aliyun: Add RRSA support for OSS authentication (#14443)

zhaoyunjiong · John Zhao · web-flow · commit e93eaab33058 · 2026-01-17T08:59:18.000-08:00
* Aliyun: Add RRSA support for OSS authentication

* Add more description about RRSA and use Strings.isNullOrEmpty to simplify the code.

---------

Co-authored-by: John Zhao &lt;yunjiong_zhao@apple.com&gt;
diff --git a/aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java b/aliyun/src/main/java/org/apache/iceberg/aliyun/AliyunClientFactories.java
@@ -18,13 +18,20 @@
  */
 package org.apache.iceberg.aliyun;
 
+import com.aliyun.credentials.models.CredentialModel;
+import com.aliyun.credentials.provider.OIDCRoleArnCredentialProvider;
 import com.aliyun.oss.OSS;
 import com.aliyun.oss.OSSClientBuilder;
+import com.aliyun.oss.common.auth.BasicCredentials;
+import com.aliyun.oss.common.auth.Credentials;
+import com.aliyun.oss.common.auth.CredentialsProvider;
 import java.util.Map;
 import org.apache.iceberg.common.DynConstructors;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
 import org.apache.iceberg.relocated.com.google.common.base.Strings;
 import org.apache.iceberg.util.PropertyUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class AliyunClientFactories {
 
@@ -81,17 +88,83 @@ private static AliyunClientFactory loadClientFactory(
   }
 
   static class DefaultAliyunClientFactory implements AliyunClientFactory {
+    private static final Logger LOG = LoggerFactory.getLogger(DefaultAliyunClientFactory.class);
     private AliyunProperties aliyunProperties;
 
     DefaultAliyunClientFactory() {}
 
+    /**
+     * Check if RRSA environment variables are present. RRSA requires
+     * ALIBABA_CLOUD_OIDC_PROVIDER_ARN, ALIBABA_CLOUD_ROLE_ARN and ALIBABA_CLOUD_OIDC_TOKEN_FILE to
+     * be set. RRSA stands for RAM Roles for Service Accounts. It works by letting pods assume
+     * specific RAM (Resource Access Management) roles when they need to call cloud APIs — no
+     * hard-coded credentials are needed, which reduces risk of credential leaks. Here is the
+     * document for RRSA:
+     * https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services
+     */
+    boolean isRrsaEnvironmentAvailable() {
+      String oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+      String roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+      String oidcTokenFile = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+      return !Strings.isNullOrEmpty(oidcProviderArn)
+          && !Strings.isNullOrEmpty(roleArn)
+          && !Strings.isNullOrEmpty(oidcTokenFile);
+    }
+
     @Override
     public OSS newOSSClient() {
       Preconditions.checkNotNull(
           aliyunProperties,
           "Cannot create aliyun oss client before initializing the AliyunClientFactory.");
 
-      if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
+      String endpoint = aliyunProperties.ossEndpoint();
+
+      // Check if RRSA environment is available
+      if (isRrsaEnvironmentAvailable()) {
+        try {
+          LOG.info(
+              "Detected RRSA environment variables, creating OSS client with RRSA credentials for endpoint: {}",
+              endpoint);
+
+          // Use OIDCRoleArnCredentialProvider directly with built-in caching and auto-refresh
+          final OIDCRoleArnCredentialProvider oidcProvider =
+              OIDCRoleArnCredentialProvider.builder().build();
+
+          CredentialsProvider ossCredProvider =
+              new CredentialsProvider() {
+                private volatile Credentials currentCredentials;
+
+                @Override
+                public void setCredentials(Credentials credentials) {}
+
+                @Override
+                public Credentials getCredentials() {
+                  try {
+                    LOG.debug("Getting credentials using RRSA");
+                    // getCredentials() returns cached credentials and auto-refreshes when needed
+                    CredentialModel cred = oidcProvider.getCredentials();
+                    long expirationSeconds = 0;
+                    if (cred.getExpiration() > 0) {
+                      expirationSeconds =
+                          (cred.getExpiration() - System.currentTimeMillis()) / 1000;
+                    }
+                    this.currentCredentials =
+                        new BasicCredentials(
+                            cred.getAccessKeyId(),
+                            cred.getAccessKeySecret(),
+                            cred.getSecurityToken(),
+                            expirationSeconds);
+                    return this.currentCredentials;
+                  } catch (Exception e) {
+                    throw new RuntimeException("Failed to get RRSA credentials", e);
+                  }
+                }
+              };
+          return new OSSClientBuilder().build(endpoint, ossCredProvider);
+        } catch (Exception e) {
+          throw new RuntimeException("Failed to create RRSA OSS client", e);
+        }
+      } else if (Strings.isNullOrEmpty(aliyunProperties.securityToken())) {
         return new OSSClientBuilder()
             .build(
                 aliyunProperties.ossEndpoint(),
diff --git a/aliyun/src/test/java/org/apache/iceberg/aliyun/TestAliyunClientFactories.java b/aliyun/src/test/java/org/apache/iceberg/aliyun/TestAliyunClientFactories.java
@@ -25,6 +25,7 @@
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
 import org.junit.jupiter.api.Test;
+import org.junitpioneer.jupiter.SetEnvironmentVariable;
 
 public class TestAliyunClientFactories {
 
@@ -76,6 +77,64 @@ public void testLoadCustom() {
         .isInstanceOf(CustomFactory.class);
   }
 
+  /**
+   * Test RRSA environment detection.
+   *
+   * <p>This test requires the following environment variables to be set:
+   *
+   * <ul>
+   *   <li>ALIBABA_CLOUD_OIDC_PROVIDER_ARN
+   *   <li>ALIBABA_CLOUD_ROLE_ARN
+   *   <li>ALIBABA_CLOUD_OIDC_TOKEN_FILE
+   * </ul>
+   */
+  @Test
+  @SetEnvironmentVariable(
+      key = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN",
+      value = "acs:ram::123456789:oidc-provider/ack-rrsa-test")
+  @SetEnvironmentVariable(
+      key = "ALIBABA_CLOUD_ROLE_ARN",
+      value = "acs:ram::123456789:role/test-rrsa-role")
+  @SetEnvironmentVariable(key = "ALIBABA_CLOUD_OIDC_TOKEN_FILE", value = "/tmp/oidc-token")
+  public void testRRSAEnvironmentDetection() {
+    Map<String, String> properties = Maps.newHashMap();
+    properties.put(AliyunProperties.OSS_ENDPOINT, "https://oss-cn-hangzhou.aliyuncs.com");
+
+    AliyunClientFactories.DefaultAliyunClientFactory factory =
+        new AliyunClientFactories.DefaultAliyunClientFactory();
+    factory.initialize(properties);
+    assertThat(factory.isRrsaEnvironmentAvailable()).isTrue();
+
+    OSS client = factory.newOSSClient();
+    assertThat(client).as("OSS client should be created with RRSA").isNotNull();
+
+    // Try to actually use the client - this should trigger credential retrieval
+    // With fake credentials, this should fail
+    try {
+      client.doesBucketExist("test-bucket");
+      // If we get here with fake creds, something is wrong
+      throw new AssertionError(
+          "Expected operation to fail with fake RRSA credentials, but it succeeded");
+    } catch (Exception e) {
+      // Expected - fake RRSA credentials should cause failure
+      assertThat(e).isNotNull();
+    } finally {
+      client.shutdown();
+    }
+  }
+
+  @Test
+  public void testIsRrsaEnvironmentAvailableWithoutEnvVars() {
+    // Verify that isRrsaEnvironmentAvailable returns false when env vars are not set
+    AliyunClientFactories.DefaultAliyunClientFactory factory =
+        new AliyunClientFactories.DefaultAliyunClientFactory();
+
+    // Assuming RRSA env vars are not set in test environment
+    assertThat(factory.isRrsaEnvironmentAvailable())
+        .as("RRSA should not be available without environment variables")
+        .isFalse();
+  }
+
   public static class CustomFactory implements AliyunClientFactory {
 
     AliyunProperties aliyunProperties;
diff --git a/build.gradle b/build.gradle
@@ -454,6 +454,8 @@ project(':iceberg-aliyun') {
     implementation project(':iceberg-common')
 
     compileOnly libs.aliyun.sdk.oss
+    implementation libs.aliyun.credentials.java
+    implementation libs.aliyun.tea
     compileOnly libs.jaxb.api
     compileOnly libs.activation
     compileOnly libs.jaxb.runtime
@@ -467,6 +469,7 @@ project(':iceberg-aliyun') {
     testImplementation platform(libs.jackson.bom)
     testImplementation "com.fasterxml.jackson.dataformat:jackson-dataformat-xml"
     testImplementation project(path: ':iceberg-api', configuration: 'testArtifacts')
+    testImplementation libs.junit.pioneer
   }
 }
 
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -21,7 +21,9 @@
 
 [versions]
 activation = "1.1.1"
+aliyun-credentials-java = "0.3.2"
 aliyun-sdk-oss = "3.18.4"
+aliyun-tea = "1.2.1"
 analyticsaccelerator = "1.3.1"
 antlr = "4.9.3"
 antlr413 = "4.13.1" # For Spark 4.0 support
@@ -70,6 +72,7 @@ jaxb-runtime = "2.3.9"
 jetty = "11.0.26"
 junit = "5.14.2"
 junit-platform = "1.14.2"
+junit-pioneer = "2.3.0"
 kafka = "3.9.1"
 kryo-shaded = "4.0.3"
 microprofile-openapi-api = "3.1.2"
@@ -95,7 +98,9 @@ tez08 = { strictly = "0.8.4"}  # see rich version usage explanation above
 [libraries]
 activation = { module = "javax.activation:activation", version.ref = "activation" }
 aircompressor = { module = "io.airlift:aircompressor", version.ref = "aircompressor" }
+aliyun-credentials-java = { module = "com.aliyun:credentials-java", version.ref = "aliyun-credentials-java" }
 aliyun-sdk-oss = { module = "com.aliyun.oss:aliyun-sdk-oss", version.ref = "aliyun-sdk-oss" }
+aliyun-tea = { module = "com.aliyun:tea", version.ref = "aliyun-tea" }
 analyticsaccelerator-s3 = { module = "software.amazon.s3.analyticsaccelerator:analyticsaccelerator-s3", version.ref = "analyticsaccelerator" }
 antlr-antlr4 = { module = "org.antlr:antlr4", version.ref = "antlr" }
 antlr-runtime = { module = "org.antlr:antlr4-runtime", version.ref = "antlr" }
@@ -206,6 +211,7 @@ jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "jetty
 jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "jetty" }
 junit-jupiter = { module = "org.junit.jupiter:junit-jupiter", version.ref = "junit" }
 junit-jupiter-engine = { module = "org.junit.jupiter:junit-jupiter-engine", version.ref = "junit" }
+junit-pioneer = { module = "org.junit-pioneer:junit-pioneer", version.ref = "junit-pioneer" }
 junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher", version.ref = "junit-platform" }
 junit-suite-api = { module = "org.junit.platform:junit-platform-suite-api", version.ref = "junit-platform" }
 junit-suite-engine = { module = "org.junit.platform:junit-platform-suite-engine", version.ref = "junit-platform" }

Original file line number	Diff line number	Diff line change
`@@ -454,6 +454,8 @@ project(':iceberg-aliyun') {`
`454`	`454`	`implementation project(':iceberg-common')`
`455`	`455`
`456`	`456`	`compileOnly libs.aliyun.sdk.oss`
	`457`	`+ implementation libs.aliyun.credentials.java`
	`458`	`+ implementation libs.aliyun.tea`
`457`	`459`	`compileOnly libs.jaxb.api`
`458`	`460`	`compileOnly libs.activation`
`459`	`461`	`compileOnly libs.jaxb.runtime`
`@@ -467,6 +469,7 @@ project(':iceberg-aliyun') {`
`467`	`469`	`testImplementation platform(libs.jackson.bom)`
`468`	`470`	`testImplementation "com.fasterxml.jackson.dataformat:jackson-dataformat-xml"`
`469`	`471`	`testImplementation project(path: ':iceberg-api', configuration: 'testArtifacts')`
	`472`	`+ testImplementation libs.junit.pioneer`
`470`	`473`	`}`
`471`	`474`	`}`
`472`	`475`