hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
Date Fri, 03 Jun 2016 21:07:59 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314812#comment-15314812
] 

Chris Nauroth commented on HADOOP-13237:
----------------------------------------

This looks to me like {{AnonymousAWSCredentials}} is fundamentally unusable in a {{AWSCredentialsProviderChain}}.

The {{AnonymousAWSCredentials}} is hard-coded to return a null key and secret.

https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AnonymousAWSCredentials.java#L26-L38

However, the chain is coded to throw an exception if it walks the whole chain and can't find
a non-null key and secret.

https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AWSCredentialsProviderChain.java#L108-L132

I'd be curious if it works when you swap out the {{credentials = new AWSCredentialsProviderChain(...)}}
line for a straight call to {{credentials = new AnonymousAWSCredentialsProvider()}}.  If it
does, then I think this could be interpreted as a bug in the AWS SDK, and we might consider
filing a patch to that project.

In the absence of AWS SDK changes, we could have a configuration property like {{fs.s3a.anonymous.access}},
which if true would skip the chain and just create the anonymous provider.  Actually, it might
be good for anonymous access to be opt-in via configuration anyway, because I expect most
deployments wouldn't want anonymous access and would prefer to fail fast so they know to lock
down their bucket.

> s3a initialization against public bucket fails if caller lacks any credentials
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-13237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13237
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>
> If an S3 bucket is public, anyone should be able to read from it.
> However, you cannot create an s3a client bonded to a public bucket unless you have some
credentials; the {{doesBucketExist()}} check rejects the call.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message