Support STS for OSS ufs through RAMRole

[StephenRi]

What changes are proposed in this pull request?

Support STS for OSS ufs

Why are the changes needed?

1. Plaintext AccessKey/AccessSecret is not safe and not Recommended for Aliyun
2. STS(Security Token Service) for OSS is more safe. For details, see https://help.aliyun.com/document_detail/32016.html

Does this PR introduce any user facing changes?

addition property keys

1. UNDERFS_OSS_STS_ENABLED
2. UNDERFS_OSS_RETRY_MAX
3. UNDERFS_OSS_ECS_RAM_ROLE

#16510

[StephenRi]

@fuzhengjia How can I apply a reviewer

[Jackson-Wang-7]

So the PR is to support using RAM role to get STS temporary credentials to access OSS ufs. I think it's mostly good.
And I know there are several other Aliyun STS endpoint to get the temporary credentials, like AssumeRole. I'm not sure the title of the PR is clear enough.

[Jackson-Wang-7]

LGTM

[StephenRi]

@Jackson-Wang-7 has finished the review. @dbw9580 Does this need another reviewer?

[StephenRi]

@dbw9580 All advices have been resolved, please check again.

[dbw9580]

thanks for the improvements!

[dbw9580]

After digging into the OSS apis, I found there is a com.aliyun.oss.OSSClientBuilder#build(java.lang.String, com.aliyun.oss.common.auth.CredentialsProvider, com.aliyun.oss.ClientBuilderConfiguration) method which takes a CredentialsProvider as argument. You can implement the CredentialsProvider interface and put the token refreshing logic there. Actually I think CustomSessionCredentialsProvider already did the same thing for you.

For credentials, InstanceProfileCredentials has a method willSoonExpire which tells you whether the token needs to be refreshed.

This way, we can decouple the refreshing of credentials from the construction of the OSS client, in case in the future we want to support AssumeRole as another way to do authentication, since there is already a STSAssumeRoleSessionCredentialsProvider.

[StephenRi]

After digging into the OSS apis, I found there is a com.aliyun.oss.OSSClientBuilder#build(java.lang.String, com.aliyun.oss.common.auth.CredentialsProvider, com.aliyun.oss.ClientBuilderConfiguration) method which takes a CredentialsProvider as argument. You can implement the CredentialsProvider interface and put the token refreshing logic there. Actually I think CustomSessionCredentialsProvider already did the same thing for you.

For credentials, InstanceProfileCredentials has a method willSoonExpire which tells you whether the token needs to be refreshed.

This way, we can decouple the refreshing of credentials from the construction of the OSS client, in case in the future we want to support AssumeRole as another way to do authentication, since there is already a STSAssumeRoleSessionCredentialsProvider.

@dbw9580 I'm glad to hear about CustomSessionCredentialsProvider.

There is another project in out group which implement STS like this PR did, and it works well. So I just use STS in Alluxio as they do.

Maybe I will consider implementing it using CustomSessionCredentialsProvider and testing it later.

[LuQQiu]

@dbw9580 @StephenRi Is the current code good to be merged and @StephenRi can help improve the credential provider logic and add related OSS doc in another PR?

[dbw9580]

LGTM. The proposed improvement can happen in another PR.

[LuQQiu]

@StephenRi please help resolve the final minor comments, and this PR is good to be merged
Please help improve the credential provider logic and add related OSS doc in following PRs.

[StephenRi]

@StephenRi please help resolve the final minor comments, and this PR is good to be merged Please help improve the credential provider logic and add related OSS doc in following PRs.

@LuQQiu @dbw9580 All the comments have been resolved. Please check.

[StephenRi]

I will use CustomSessionCredentialsProvider to improve the credential provider later. It is in my TODO list

[LuQQiu]

alluxio-bot, merge this please

[JiamingMai]

alluxio-bot, cherry-pick this to dora please

[alluxio-bot]

Auto cherry-pick unsuccessful:
Insufficient permissions to trigger a cherry-pick. user: JiamingMai