PR Revision 1

Author: adnanhemani

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/DefaultS3ClientFactory.java

@@ -418,12 +418,13 @@ private static Region getS3RegionFromEndpoint(final String endpoint,
       return;
     }
 
-    LOG_S3AG_ENABLED.info("S3 Access Grants plugin is enabled.");
-    boolean isFallbackEnabled = conf.getBoolean(AWS_S3_ACCESS_GRANTS_FALLBACK_TO_IAM_ENABLED, false);
+    boolean isFallbackEnabled =
+        conf.getBoolean(AWS_S3_ACCESS_GRANTS_FALLBACK_TO_IAM_ENABLED, false);
     S3AccessGrantsPlugin accessGrantsPlugin =
-            S3AccessGrantsPlugin.builder().enableFallback(isFallbackEnabled).build();
+        S3AccessGrantsPlugin.builder().enableFallback(isFallbackEnabled).build();
     builder.addPlugin(accessGrantsPlugin);
-    LOG_S3AG_ENABLED.info("S3 Access Grants plugin is added to S3 client with fallback: {}", isFallbackEnabled);
+    LOG_S3AG_ENABLED.info(
+        "S3 Access Grants plugin is enabled with IAM fallback set to {}", isFallbackEnabled);
   }
 
 }

hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/index.md

@@ -617,16 +617,16 @@ java.io.IOException: From option fs.s3a.aws.credentials.provider java.lang.Class
 ## S3 Authorization Using S3 Access Grants
 
 [S3 Access Grants](https://aws.amazon.com/s3/features/access-grants/) can be used to grant accesses to S3 data using IAM Principals.
-In order to enable S3 Access Grants to work with S3A, we enable the 
-[S3 Access Grants plugin](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) on all S3 clients, 
+In order to enable S3 Access Grants, S3A utilizes the
+[S3 Access Grants plugin](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) on all S3 clients,
 which is found within the AWS Java SDK bundle (v2.23.19+).
 
-We support both cross-region access (by default) and the 
-[fallback-to-IAM configuration](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2?tab=readme-ov-file#using-the-plugin) 
-which allows you to fallback to using your IAM role (and its permission sets directly) to access your S3 data in the case that S3 Access Grants
-is unable to authorize your S3 call.
+S3A supports both cross-region access (by default) and the
+[fallback-to-IAM configuration](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2?tab=readme-ov-file#using-the-plugin)
+which allows S3A to fallback to using the IAM role (and its permission sets directly) to access S3 data in the case that S3 Access Grants
+is unable to authorize the S3 call.
 
-The following is how you can enable this feature:
+The following is how this feature can be enabled:
 
 ```xml
 <property>
@@ -640,11 +640,11 @@ The following is how you can enable this feature:
 </property>
 ```
 
-Please note that we only enable the [S3 Access Grants plugin](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) on the S3 clients 
-as part of this feature. Any usage issues or bug reporting should be done directly at the plugin's 
+Please note that S3A only enables the [S3 Access Grants plugin](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) on the S3 clients
+as part of this feature. Any usage issues or bug reporting should be done directly at the plugin's
 [GitHub repo](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2/issues).
 
-For more details on using S3 Access Grants, please refer to 
+For more details on using S3 Access Grants, please refer to
 [Managing access with S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html).
 
 ## <a name="hadoop_credential_providers"></a>Storing secrets with Hadoop Credential Providers

hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/TestS3AccessGrantConfiguration.java

@@ -25,7 +25,6 @@
 
 import software.amazon.awssdk.awscore.AwsClient;
 import software.amazon.awssdk.s3accessgrants.plugin.S3AccessGrantsIdentityProvider;
-import software.amazon.awssdk.services.s3.S3BaseClientBuilder;
 
 import java.io.IOException;
 import java.net.URI;
@@ -38,71 +37,71 @@
  * Test S3 Access Grants configurations.
  */
 public class TestS3AccessGrantConfiguration extends AbstractHadoopTestBase {
-    /**
-     * This credential provider will be attached to any client
-     * that has been configured with the S3 Access Grants plugin.
-     * {@link software.amazon.awssdk.s3accessgrants.plugin.S3AccessGrantsPlugin}.
-     */
-    public static final String S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS =
-            S3AccessGrantsIdentityProvider.class.getName();
-
-    @Test
-    public void testS3AccessGrantsEnabled() throws IOException, URISyntaxException {
-        // Feature is explicitly enabled
-        AwsClient s3AsyncClient = getAwsClient(createConfig(true), true);
-        Assert.assertEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3AsyncClient));
-
-        AwsClient s3Client = getAwsClient(createConfig(true), false);
-        Assert.assertEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3Client));
-    }
-
-    @Test
-    public void testS3AccessGrantsDisabled() throws IOException, URISyntaxException {
-        // Disabled by default
-        AwsClient s3AsyncDefaultClient = getAwsClient(new Configuration(), true);
-        Assert.assertNotEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3AsyncDefaultClient));
-
-        AwsClient s3DefaultClient = getAwsClient(new Configuration(), true);
-        Assert.assertNotEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3DefaultClient));
-
-        // Disabled if explicitly set
-        AwsClient s3AsyncExplicitlyDisabledClient = getAwsClient(createConfig(false), true);
-        Assert.assertNotEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3AsyncExplicitlyDisabledClient));
-
-        AwsClient s3ExplicitlyDisabledClient = getAwsClient(createConfig(false), true);
-        Assert.assertNotEquals(
-                S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
-                getCredentialProviderName(s3ExplicitlyDisabledClient));
-    }
-
-    private Configuration createConfig(boolean s3agEnabled) {
-        Configuration conf = new Configuration();
-        conf.setBoolean(AWS_S3_ACCESS_GRANTS_ENABLED, s3agEnabled);
-        return conf;
-    }
-
-    private String getCredentialProviderName(AwsClient awsClient) {
-        return awsClient.serviceClientConfiguration().credentialsProvider().getClass().getName();
-    }
-
-    private <BuilderT extends S3BaseClientBuilder<BuilderT, ClientT>, ClientT> AwsClient
-    getAwsClient(Configuration conf, boolean asyncClient) throws IOException, URISyntaxException {
-        DefaultS3ClientFactory factory = new DefaultS3ClientFactory();
-        factory.setConf(conf);
-        S3ClientFactory.S3ClientCreationParameters parameters =
-                new S3ClientFactory.S3ClientCreationParameters();
-        URI uri = new URI("any-uri");
-        return asyncClient ?
-                factory.createS3AsyncClient(uri, parameters): factory.createS3Client(uri, parameters);
-    }
+  /**
+   * This credential provider will be attached to any client
+   * that has been configured with the S3 Access Grants plugin.
+   * {@link software.amazon.awssdk.s3accessgrants.plugin.S3AccessGrantsPlugin}.
+   */
+  public static final String S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS =
+      S3AccessGrantsIdentityProvider.class.getName();
+
+  @Test
+  public void testS3AccessGrantsEnabled() throws IOException, URISyntaxException {
+    // Feature is explicitly enabled
+    AwsClient s3AsyncClient = getAwsClient(createConfig(true), true);
+    Assert.assertEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3AsyncClient));
+
+    AwsClient s3Client = getAwsClient(createConfig(true), false);
+    Assert.assertEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3Client));
+  }
+
+  @Test
+  public void testS3AccessGrantsDisabled() throws IOException, URISyntaxException {
+    // Disabled by default
+    AwsClient s3AsyncDefaultClient = getAwsClient(new Configuration(), true);
+    Assert.assertNotEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3AsyncDefaultClient));
+
+    AwsClient s3DefaultClient = getAwsClient(new Configuration(), true);
+    Assert.assertNotEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3DefaultClient));
+
+    // Disabled if explicitly set
+    AwsClient s3AsyncExplicitlyDisabledClient = getAwsClient(createConfig(false), true);
+    Assert.assertNotEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3AsyncExplicitlyDisabledClient));
+
+    AwsClient s3ExplicitlyDisabledClient = getAwsClient(createConfig(false), true);
+    Assert.assertNotEquals(
+        S3_ACCESS_GRANTS_EXPECTED_CREDENTIAL_PROVIDER_CLASS,
+        getCredentialProviderName(s3ExplicitlyDisabledClient));
+  }
+
+  private Configuration createConfig(boolean s3agEnabled) {
+    Configuration conf = new Configuration();
+    conf.setBoolean(AWS_S3_ACCESS_GRANTS_ENABLED, s3agEnabled);
+    return conf;
+  }
+
+  private String getCredentialProviderName(AwsClient awsClient) {
+    return awsClient.serviceClientConfiguration().credentialsProvider().getClass().getName();
+  }
+
+  private AwsClient getAwsClient(Configuration conf, boolean asyncClient)
+      throws IOException, URISyntaxException {
+    DefaultS3ClientFactory factory = new DefaultS3ClientFactory();
+    factory.setConf(conf);
+    S3ClientFactory.S3ClientCreationParameters parameters =
+        new S3ClientFactory.S3ClientCreationParameters();
+    URI uri = new URI("any-uri");
+    return asyncClient ?
+        factory.createS3AsyncClient(uri, parameters): factory.createS3Client(uri, parameters);
+  }
 }