feat: Split fallback into enableS3AccessGrantsFallback and enableDire…#46
Open
rajasbh-aws wants to merge 1 commit into
Open
feat: Split fallback into enableS3AccessGrantsFallback and enableDire…#46rajasbh-aws wants to merge 1 commit into
rajasbh-aws wants to merge 1 commit into
Conversation
…ctIAMFallback The LF plugin fallback chain was always: LF -> S3 Access Grants -> IAM. Customers who do not use S3 Access Grants still incur failed S3AG calls on every LF failure before falling through to IAM, adding latency and CloudTrail noise. Replace the single `enableFallback` flag with two orthogonal fallback toggles: - enableS3AccessGrantsFallback (default true): LF -> S3 Access Grants -> IAM (this is the renamed former `enableFallback`; unchanged default behavior). - enableDirectIAMFallback (default false): LF -> IAM directly, skipping S3AG. On an LF failure the identity provider resolves in priority order: 1. S3 Access Grants fallback (if enabled and a provider is available) 2. direct IAM fallback (if enabled) 3. otherwise fail with SdkClientException | enableS3AccessGrantsFallback | enableDirectIAMFallback | Behavior | |------------------------------|-------------------------|-------------------| | true (default) | false (default) | LF -> S3AG -> IAM | | false | true | LF -> IAM | | true | true | LF -> S3AG -> IAM | | false | false | LF only, fail | - AccessGrantsPluginBuilder: renamed method + new enableDirectIAMFallback(Boolean) - LakeFormationAccessGrantsPlugin: two fields/defaults/accessors/builder impls, passes both flags to the identity provider - LakeFormationAccessGrantsIdentityProvider: two-flag priority fallback logic - Tests + README updated Concept ported from CR-289249541 (SageMakerUSJavaPlugin).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Split the single
enableFallbackoption into two independent fallback toggles that givecallers explicit control over the fallback chain when Lake Formation credential resolution
fails:
enableS3AccessGrantsFallback(defaulttrue) — Lake Formation → S3 Access Grants → IAM.This is the renamed former
enableFallback; the default behavior is unchanged.enableDirectIAMFallback(defaultfalse) — Lake Formation → IAM directly, skippingS3 Access Grants.
Motivation
The fallback chain was always Lake Formation → S3 Access Grants → IAM. Customers who do not use
S3 Access Grants still incur a failed S3 Access Grants call on every Lake Formation failure
before finally falling through to IAM, adding latency and CloudTrail noise. Splitting the flag
lets those customers opt into a direct Lake Formation → IAM fallback while leaving the existing
behavior as the default for everyone else.
Behavior
On a Lake Formation failure the identity provider resolves in priority order:
enableS3AccessGrantsFallbackistrue(and an S3 Access Grants provider is available) →fall back to S3 Access Grants (which in turn falls back to IAM).
enableDirectIAMFallbackistrue→ fall back directly to the original IAMcredentials provider, skipping S3 Access Grants.
SdkClientException.enableS3AccessGrantsFallbackenableDirectIAMFallbacktrue(default)false(default)falsetruetruetruefalsefalseChanges
AccessGrantsPluginBuilder: addedenableS3AccessGrantsFallback(Boolean)andenableDirectIAMFallback(Boolean). The oldenableFallback(Boolean)is retained as a@Deprecateddefault method that forwards toenableS3AccessGrantsFallback(...), preservingsource and binary compatibility for existing consumers.
LakeFormationAccessGrantsPlugin: two independent fields/defaults/accessors/builder impls;passes both flags into the identity provider. The inner
S3AccessGrantsPlugincontinues toreceive the S3 Access Grants fallback setting.
LakeFormationAccessGrantsIdentityProvider: two-flag priority fallback logic in thefailure path (S3 Access Grants → direct IAM → fail).
Testing
mvn clean test— full suite green (95 tests).Grants takes priority when both are enabled, direct IAM used when the S3 Access Grants provider
is null, and both-disabled fails without any fallback attempt.
enableDirectIAMFallback=false,enableS3AccessGrantsFallback=true), null handling, andtoBuilderround-tripping of both flags.Compatibility
Fully backward compatible. The default (
enableS3AccessGrantsFallback=true,enableDirectIAMFallback=false) preserves the exact prior behavior. The oldenableFallback(...)builder method is retained as a@Deprecatedalias that forwards toenableS3AccessGrantsFallback(...), so existing source and pre-compiled callers continue to workwithout changes; it will be removed in a future major version.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this
contribution, under the terms of your choice.