hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14237) S3A Support Shared Instance Profile Credentials Across All Hadoop Nodes
Date Mon, 27 Mar 2017 11:17:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943068#comment-15943068
] 

ASF GitHub Bot commented on HADOOP-14237:
-----------------------------------------

Github user steveloughran commented on a diff in the pull request:

    https://github.com/apache/hadoop/pull/207#discussion_r108144627
  
    --- Diff: hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/SharedInstanceProfileCredentialsProvider.java
---
    @@ -58,6 +71,84 @@ public static SharedInstanceProfileCredentialsProvider getInstance()
{
         return INSTANCE;
       }
     
    +  private AWSCredentials readCredentialsFromHDFS() {
    +    try {
    +      FileSystem fs = FileSystem.get(new Configuration());
    +      BufferedReader br = new BufferedReader(new InputStreamReader(fs.open(s3crednetialPath)));
    +      String accessKey = br.readLine();
    +      String secretKey = br.readLine();
    +      String token = br.readLine();
    +      AWSCredentials credentials;
    +      if (StringUtils.isEmpty(accessKey) || StringUtils.isEmpty(secretKey)) {
    +        // if there are no accessKey nor secretKey return null
    +        return null;
    +      } else if (StringUtils.isNotEmpty(token)) {
    +        credentials = new BasicSessionCredentials(accessKey, secretKey, token);
    +      } else {
    +        credentials = new BasicAWSCredentials(accessKey, secretKey);
    +      }
    +      return credentials;
    +    } catch (Exception e) {
    +      return null; // ignore the read errors
    +      // throw new AmazonServiceException("Failed reading S3 credentials from HDFS "
+ e.getStackTrace());
    +    }
    +  }
    +
    +  private void writeCredentialsToHDFS(AWSCredentials credentials) {
    +    try {
    +      // Simulate atomic write by creating a new s3credential file with random string
suffix and rename to s3crednetialPath
    +      Path newS3crednetialPath = new Path(s3crednetialPath.toUri() + RandomStringUtils.randomAlphanumeric(8));
    +      FileSystem fs = FileSystem.get(new Configuration());
    +      BufferedWriter br = new BufferedWriter(new OutputStreamWriter(fs.create(newS3crednetialPath,
true)));
    +      String accessKey = credentials.getAWSAccessKeyId();
    +      String secretKey = credentials.getAWSSecretKey();
    +      String token = "";
    +      if (credentials instanceof BasicSessionCredentials) {
    --- End diff --
    
    I would only allow session credentials to persist, so as to reduce risk of leakage of
persistent secrets


> S3A Support Shared Instance Profile Credentials Across All Hadoop Nodes
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-14237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14237
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/s3
>    Affects Versions: 2.8.0, 3.0.0-alpha1, 3.0.0-alpha2, 2.8.1
>         Environment: EC2, AWS
>            Reporter: Kazuyuki Tanimura
>
> When I run a large Hadoop cluster on EC2 instances with IAM Role, it fails getting the
instance profile credentials, eventually all jobs on the cluster fail. Since a number of S3A
clients (all mappers and reducers) try to get the credentials, the AWS credential endpoint
starts responding 5xx and 4xx error codes.
> SharedInstanceProfileCredentialsProvider.java is sort of trying to solve it, but it still
does not share the credentials with other EC2 nodes / JVM processes.
> This issue prevents users from creating Hadoop clusters on EC2



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message