From ff9b6a5e6d3aeba45ba750b33deebc648dbb2ed1 Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@cloudera.com>
Date: Fri, 13 Sep 2019 16:13:28 +0100
Subject: [PATCH] HADOOP-16568. S3A FullCredentialsTokenBinding fails if local
 credentials are unset.

Move the loading to deployUnbonded (where they are required) and add a safety check when a new DT is requested

Change-Id: I516368c2c4a558a2a86e8cf107f77f1e40338261
---
 .../s3a/auth/delegation/FullCredentialsTokenBinding.java   | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
index d80e780521d5c..8df666470ae9d 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
@@ -22,6 +22,8 @@
 import java.net.URI;
 import java.util.Optional;
 
+import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
 import org.apache.hadoop.fs.s3a.S3AUtils;
@@ -73,7 +75,6 @@ public FullCredentialsTokenBinding() {
   @Override
   protected void serviceStart() throws Exception {
     super.serviceStart();
-    loadAWSCredentials();
   }
 
   /**
@@ -116,6 +117,7 @@ private void loadAWSCredentials() throws IOException {
   @Override
   public AWSCredentialProviderList deployUnbonded() throws IOException {
     requireServiceStarted();
+    loadAWSCredentials();
     return new AWSCredentialProviderList(
         "Full Credentials Token Binding",
         new MarshalledCredentialProvider(
@@ -142,7 +144,8 @@ public AbstractS3ATokenIdentifier createTokenIdentifier(
       final EncryptionSecrets encryptionSecrets,
       final Text renewer) throws IOException {
     requireServiceStarted();
-
+    Preconditions.checkNotNull(
+        awsCredentials, "No AWS credentials to use for a delegation token");
     return new FullCredentialsTokenIdentifier(getCanonicalUri(),
         getOwnerText(),
         renewer,