From common-issues-return-154575-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Mon Jul 9 22:56:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id D5140180676 for ; Mon, 9 Jul 2018 22:56:03 +0200 (CEST) Received: (qmail 72751 invoked by uid 500); 9 Jul 2018 20:56:02 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 72719 invoked by uid 99); 9 Jul 2018 20:56:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jul 2018 20:56:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 54FF11A14D7 for ; Mon, 9 Jul 2018 20:56:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 0OM49lFxq8IN for ; Mon, 9 Jul 2018 20:56:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 403195F439 for ; Mon, 9 Jul 2018 20:56:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8BAC9E134E for ; Mon, 9 Jul 2018 20:56:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 47B8923E83 for ; Mon, 9 Jul 2018 20:56:00 +0000 (UTC) Date: Mon, 9 Jul 2018 20:56:00 +0000 (UTC) From: "Steve Loughran (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-15583) S3Guard to get AWS Credential chain from S3AFS; credentials closed() on shutdown MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-15583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-15583: ------------------------------------ Summary: S3Guard to get AWS Credential chain from S3AFS; credentials closed() on shutdown (was: S3Guard to get AWS Credential chain from S3AFS) > S3Guard to get AWS Credential chain from S3AFS; credentials closed() on shutdown > -------------------------------------------------------------------------------- > > Key: HADOOP-15583 > URL: https://issues.apache.org/jira/browse/HADOOP-15583 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 > Affects Versions: 3.1.0 > Reporter: Steve Loughran > Assignee: Steve Loughran > Priority: Major > Attachments: HADOOP-15583-001.patch, HADOOP-15583-002.patch > > > S3Guard builds its DDB auth chain itself, which stops it having to worry about being created standalone vs part of an S3AFS, but it means its authenticators are in a separate chain. > When you are using short-lived assumed roles or other session credentials updated in the S3A FS authentication chain, you need that same set of credentials picked up by DDB. Otherwise, at best you are doubling load, at worse: the DDB connector may not get refreshed credentials. > Proposed: {{DynamoDBClientFactory.createDynamoDBClient()}} to take an optional ref to aws credentials. If set: don't create a new set. > There's one little complication here: our {{AWSCredentialProviderList}} list is autocloseable; it's close() will go through all children and close them. Apparently the AWS S3 client (And hopefully the DDB client) will close this when they are closed themselves. If DDB has the same set of credentials as the FS, then there could be trouble if they are closed in one place when the other still wants to use them. > Solution; have a use count the uses of the credentials list, starting at one: every close() call decrements, and when this hits zero the cleanup is kicked off -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org