hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven K. Wong (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-13389) TestS3ATemporaryCredentials.testSTS error
Date Wed, 20 Jul 2016 01:11:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385122#comment-15385122
] 

Steven K. Wong edited comment on HADOOP-13389 at 7/20/16 1:10 AM:
------------------------------------------------------------------

I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend to run the
S3A tests. All S3A tests -- except TestS3ATemporaryCredentials.testSTS -- succeed for me.

The InstanceProfileCredentialsProvider object on line 93 is unhelpful because its temporary
credential is not compatible with the getSessionToken call on line 105 (as explained above).
Hence, at a minimum I think InstanceProfileCredentialsProvider should be removed from the
credentials chain in the test case. But that doesn't fix the test case failure. Perhaps testSTS
should explicitly check for the absence of credentials in the config and skip itself (like
what line 83 does)?


was (Author: slider):
I have auth-keys.xml (that only configures test.fs.s3a.name), because I intend to run the
S3A tests. All S3A tests -- except TestS3ATemporaryCredentials.testSTS -- succeed for me.

The InstanceProfileCredentialsProvider object on line 93 is unhelpful because its temporary
credential is not compatible with the getSessionToken call on line 105 (as explained above).
Hence, at a minimum I think InstanceProfileCredentialsProvider should be removed from the
credentials chain in the test case. But that doesn't fix the test case failure. Perhaps testSTS
should explicitly check for the absence of credentials in the config and skip itself?

> TestS3ATemporaryCredentials.testSTS error
> -----------------------------------------
>
>                 Key: HADOOP-13389
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13389
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>            Reporter: Steven K. Wong
>
> {{org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS}} throws a 403 AccessDenied
when run without any AWS credentials (access key and secret key) in the config.
> {noformat}
> com.amazonaws.AmazonServiceException: Cannot call GetSessionToken with session credentials
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID:
XXXXX)
> 	at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)
> 	at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)
> 	at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)
> 	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)
> 	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1106)
> 	at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:355)
> 	at org.apache.hadoop.fs.s3a.TestS3ATemporaryCredentials.testSTS(TestS3ATemporaryCredentials.java:105)
> {noformat}
> It fails because the InstanceProfileCredentialsProvider in the credentials chain (on
line 91) is used, but an instance profile always provides a temporary credential and GetSessionToken
requires a long-term (not temporary) credential.
> Suggestion on how to fix this test case?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message