hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "genericqa (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15583) Stabilize S3A Assumed Role support
Date Tue, 31 Jul 2018 00:14:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16562689#comment-16562689
] 

genericqa commented on HADOOP-15583:
------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 20s{color} | {color:blue}
Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  0s{color} |
{color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m  0s{color}
| {color:green} The patch appears to include 11 new or modified test files. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 20s{color} | {color:blue}
Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 28m 10s{color}
| {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 57s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 24s{color}
| {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 58s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 13m 33s{color}
| {color:green} branch has no errors when building and testing our client artifacts. {color}
|
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  2m 25s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 30s{color} |
{color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 21s{color} | {color:blue}
Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  1m 29s{color}
| {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 26s{color} |
{color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red} 29m 26s{color} | {color:red}
root generated 1 new + 1463 unchanged - 5 fixed = 1464 total (was 1468) {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  0m 25s{color}
| {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 53s{color} |
{color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red}  0m  0s{color} | {color:red}
The patch has 12 line(s) that end in whitespace. Use git apply --whitespace=fix <<patch_file>>.
Refer https://git-scm.com/docs/git-apply {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green}  0m  2s{color} | {color:green}
The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 20s{color}
| {color:green} patch has no errors when building and testing our client artifacts. {color}
|
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red}  0m 58s{color} | {color:red}
hadoop-tools/hadoop-aws generated 2 new + 0 unchanged - 0 fixed = 2 total (was 0) {color}
|
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 30s{color} |
{color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  9m 14s{color} | {color:green}
hadoop-common in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  5m 20s{color} | {color:green}
hadoop-aws in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 39s{color}
| {color:green} The patch does not generate ASF License warnings. {color} |
| {color:black}{color} | {color:black} {color} | {color:black}142m 46s{color} | {color:black}
{color} |
\\
\\
|| Reason || Tests ||
| FindBugs | module:hadoop-tools/hadoop-aws |
|  |  org.apache.hadoop.fs.s3a.auth.RolePolicies.KMS_KEY_READ should be package protected
 At RolePolicies.java: At RolePolicies.java:[line 65] |
|  |  org.apache.hadoop.fs.s3a.auth.RolePolicies.KMS_KEY_RW should be package protected  At
RolePolicies.java: At RolePolicies.java:[line 58] |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:ba1ab08 |
| JIRA Issue | HADOOP-15583 |
| JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12933670/HADOOP-15583-004.patch
|
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  unit  shadedclient
 xml  findbugs  checkstyle  |
| uname | Linux 73f03af367d5 3.13.0-144-generic #193-Ubuntu SMP Thu Mar 15 17:03:53 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/patchprocess/precommit/personality/provided.sh |
| git revision | trunk / 2b39ad2 |
| maven | version: Apache Maven 3.3.9 |
| Default Java | 1.8.0_171 |
| findbugs | v3.1.0-RC1 |
| javac | https://builds.apache.org/job/PreCommit-HADOOP-Build/14964/artifact/out/diff-compile-javac-root.txt
|
| whitespace | https://builds.apache.org/job/PreCommit-HADOOP-Build/14964/artifact/out/whitespace-eol.txt
|
| findbugs | https://builds.apache.org/job/PreCommit-HADOOP-Build/14964/artifact/out/new-findbugs-hadoop-tools_hadoop-aws.html
|
|  Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/14964/testReport/ |
| Max. process+thread count | 1359 (vs. ulimit of 10000) |
| modules | C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: . |
| Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/14964/console |
| Powered by | Apache Yetus 0.8.0-SNAPSHOT   http://yetus.apache.org |


This message was automatically generated.



> Stabilize S3A Assumed Role support
> ----------------------------------
>
>                 Key: HADOOP-15583
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15583
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.1.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Blocker
>         Attachments: HADOOP-15583-001.patch, HADOOP-15583-002.patch, HADOOP-15583-003.patch,
HADOOP-15583-004.patch
>
>
> started off just on sharing credentials across S3A and S3Guard, but in the process it
has grown to becoming one of stabilising the assumed role support so it can be used for more
than just testing.
> Was: "S3Guard to get AWS Credential chain from S3AFS; credentials closed() on shutdown"
> h3. Issue: lack of auth chain sharing causes ddb and s3 to get out of sync
> S3Guard builds its DDB auth chain itself, which stops it having to worry about being
created standalone vs part of an S3AFS, but it means its authenticators are in a separate
chain.
> When you are using short-lived assumed roles or other session credentials updated in
the S3A FS authentication chain, you need that same set of credentials picked up by DDB. Otherwise,
at best you are doubling load, at worse: the DDB connector may not get refreshed credentials.
> Proposed: {{DynamoDBClientFactory.createDynamoDBClient()}} to take an optional ref to
aws credentials. If set: don't create a new set. 
> There's one little complication here: our {{AWSCredentialProviderList}} list is autocloseable;
it's close() will go through all children and close them. Apparently the AWS S3 client (And
hopefully the DDB client) will close this when they are closed themselves. If DDB  has the
same set of credentials as the FS, then there could be trouble if they are closed in one place
when the other still wants to use them.
> Solution; have a use count the uses of the credentials list, starting at one: every close()
call decrements, and when this hits zero the cleanup is kicked off
> h3. Issue: {{AssumedRoleCredentialProvider}} connector to STS not picking up the s3a
connection settings, including proxy.
> h3. issue: we're not using getPassword() to get user/password for proxy binding for STS.
Fix: use that and pass down the bucket ref for per-bucket secrets in a JCEKS file.
> h3. Issue; hard to debug what's going wrong :)
> h3. Issue: docs about KMS permissions for SSE-KMS are wrong, and the ITestAssumedRole*
tests don't request KMS permissions, so fail in a bucket when the base s3 FS is using SSE-KMS.
KMS permissions need to be included in generated profiles



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message