Skip to content

[FLINK-38987] Add RRSA (RAM Roles for Service Accounts) support for Flink OSS FileSystem#27529

Open
zhaoyunjiong wants to merge 1 commit intoapache:masterfrom
zhaoyunjiong:FLINK-38987
Open

[FLINK-38987] Add RRSA (RAM Roles for Service Accounts) support for Flink OSS FileSystem#27529
zhaoyunjiong wants to merge 1 commit intoapache:masterfrom
zhaoyunjiong:FLINK-38987

Conversation

@zhaoyunjiong
Copy link

@zhaoyunjiong zhaoyunjiong commented Feb 4, 2026

What is the purpose of the change

This PR adds RRSA (RAM Roles for Service Accounts) support to the Flink OSS FileSystem, enabling Flink applications running in Alibaba Cloud Kubernetes (ACK) to authenticate with OSS using OIDC-based service account credentials.

Brief change log

  • Added RRSACredentialsProvider class that implements OSS CredentialsProvider interface for RRSA authentication
  • Modified OSSFileSystemFactory to automatically detect RRSA environment variables and prepend RRSACredentialsProvider to the credential provider chain

Verifying this change

This change added tests and can be verified as follows:

  • Added unit tests (RRSACredentialsProviderTest) that verify:
    • RRSA environment variable detection logic (all, partial, and missing variables)
    • Credential provider initialization and error handling
    • Behavior when RRSA environment is not available
  • Extended integration tests (HadoopOSSFileSystemITCase) that verify:
    • RRSA provider is automatically configured when environment variables are present
    • RRSA provider is correctly prepended to the credential provider chain
    • RRSA provider integrates properly with the OSS filesystem factory
  • Manual verification can be done by:
    • Deploying Flink to Alibaba Cloud ACK with RRSA-enabled service accounts
    • Setting the required environment variables (ALIBABA_CLOUD_OIDC_PROVIDER_ARN, ALIBABA_CLOUD_ROLE_ARN, ALIBABA_CLOUD_OIDC_TOKEN_FILE)
    • Running process that use flink-oss-fs-hadoop to accesses OSS, verifying authentication works without explicit access keys

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes (added aliyun credentials-java, aliyun tea, and junit-pioneer for tests)
  • The public API, i.e., is any changed class annotated with @public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? yes
  • If yes, how is the feature documented? JavaDocs (comprehensive JavaDoc added to RRSACredentialsProvider explaining the feature, required environment variables, and references to Alibaba Cloud RRSA documentation)

@flinkbot
Copy link
Collaborator

flinkbot commented Feb 4, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zhaoyunjiong @flinkbot