Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id F1357200D33 for ; Wed, 8 Nov 2017 22:40:47 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id EF981160BDA; Wed, 8 Nov 2017 21:40:47 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1B3031609E0 for ; Wed, 8 Nov 2017 22:40:46 +0100 (CET) Received: (qmail 10842 invoked by uid 500); 8 Nov 2017 21:40:46 -0000 Mailing-List: contact reviews-help@impala.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list reviews@impala.incubator.apache.org Received: (qmail 10830 invoked by uid 99); 8 Nov 2017 21:40:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Nov 2017 21:40:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3637A1A10E7 for ; Wed, 8 Nov 2017 21:40:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.362 X-Spam-Level: ** X-Spam-Status: No, score=2.362 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RDNS_DYNAMIC=0.363, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Zu9FHvZDf9HH for ; Wed, 8 Nov 2017 21:40:43 +0000 (UTC) Received: from ip-10-146-233-104.ec2.internal (ec2-75-101-130-251.compute-1.amazonaws.com [75.101.130.251]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D5DF35FDD4 for ; Wed, 8 Nov 2017 21:40:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ip-10-146-233-104.ec2.internal (8.14.4/8.14.4) with ESMTP id vA8Lee3b019476; Wed, 8 Nov 2017 21:40:40 GMT Message-Id: <201711082140.vA8Lee3b019476@ip-10-146-233-104.ec2.internal> X-Gerrit-PatchSet: 2 Date: Wed, 8 Nov 2017 21:40:40 +0000 From: "Laszlo Gaal (Code Review)" To: impala-cr@cloudera.com, reviews@impala.incubator.apache.org CC: Alex Behm , Sailesh Mukil , Jim Apple , Lars Volker , Michael Brown , Philip Zeyliger , David Knupp , Joe McDonnell , Tim Armstrong X-Gerrit-MessageType: comment Subject: =?UTF-8?Q?=5BImpala-ASF-CR=5D_IMPALA-6067=3A_Enable_s3_access_via_IAM_roles_for_EC2_VMs=0A?= X-Gerrit-Change-Id: I14cd9d4453a91baad3c379aa7e4944993fca95ae X-Gerrit-Change-Number: 8294 X-Gerrit-ChangeURL: X-Gerrit-Commit: e97f0d9e5132288815aa1165a938327fc335f9bf In-Reply-To: References: X-Gerrit-Comment-Date: Wed, 8 Nov 2017 21:40:40 +0000 Reply-To: laszlo.gaal@cloudera.com, sailesh@cloudera.com, dknupp@cloudera.com, philip@cloudera.com, jbapple-impala@apache.org, alex.behm@cloudera.com, reviews@impala.incubator.apache.org, mikeb@cloudera.com, impala-cr@cloudera.com, lv@cloudera.com, marcelk@gmail.com, tarmstrong@cloudera.com, joemcdonnell@cloudera.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Disposition: inline User-Agent: Gerrit/2.14.2 Content-Type: multipart/alternative; boundary="7BuI1/8dlfA="; charset=UTF-8 archived-at: Wed, 08 Nov 2017 21:40:48 -0000 --7BuI1/8dlfA= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Laszlo Gaal has posted comments on this change=2E ( http://gerrit=2Eclouder= a=2Eorg:8080/8294 ) Change subject: IMPALA-6067: Enable s3 access via IAM = roles for EC2 VMs =2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E= =2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E= =2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E=2E= =2E Patch Set 2: (3 comments) http://gerrit=2Ecloudera=2Eorg:8080/#/c/8= 294/2/bin/impala-config=2Esh File bin/impala-config=2Esh: http://gerrit=2E= cloudera=2Eorg:8080/#/c/8294/2/bin/impala-config=2Esh@294 PS2, Line 294: = if (set +x; [[ -z ${AWS_ACCESS_KEY_ID-} && -z ${AWS_SECRET_ACCESS_KEY-} ]])= ; then > (I think it's fine if this is put in a separate script and called = from buil I'm not sure that putting the checks into a separate script would= change anything=2E The part in lines 252-264 have to remain here because t= hey touch environment variables that are used further in this script=2E h= ttp://gerrit=2Ecloudera=2Eorg:8080/#/c/8294/2/bin/impala-config=2Esh@294 PS= 2, Line 294: if (set +x; [[ -z ${AWS_ACCESS_KEY_ID-} && -z ${AWS_SECRET_A= CCESS_KEY-} ]]); then > Does impala-config=2Esh really have to talk to the = internet? It just tends to In most of the use cases the network access is a= voided, it happens only if the build is set up to run the tests on S3=2E -= - and talking to S3 means lots of network access anyway=2E Even the current= version of the script performs a network access in the S3 case: line 321 u= ses AWS CLI to check the existence of the specified bucket=2E Checking the= credential URL is gated by the following environment variables: - TARGET_F= ILESYSTEM has to be set to "s3" - S3_BUCKET has to be non-empty - AWS_SECRE= T_ACCESS_KEY and AWS_ACCESS_KEY_ID both have to be empty or missing before = the script attempts to look for credentials by checking the URL=2E Even if= a network check is performed, it will not go out to the internet=2E The sp= ecific network address belongs to the "link-local address" category (see ht= tps://en=2Ewikipedia=2Eorg/wiki/Link-local_address), which is valid only in= the immediate network neighborhood=2E Within EC2 the request should be ser= ver quickly; outside of EC2 I don't expect the target URL to exist at all= =2E Based on this I could set short timeouts, so that the call fails quickl= y even in rare failure cases=2E http://gerrit=2Ecloudera=2Eorg:8080/#/c/8= 294/2/bin/impala-config=2Esh@307 PS2, Line 307: if ! curl "${CURL_ARGS[= @]}" ; then > curl is not a development dependency in bin/bootstrap_system= =2Esh=2E I'd sugges Good point; I'll check if wget can be set up the same w= ay=2E -- To view, visit http://gerrit=2Ecloudera=2Eorg:8080/8294 To uns= ubscribe, visit http://gerrit=2Ecloudera=2Eorg:8080/settings Gerrit-Projec= t: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Chan= ge-Id: I14cd9d4453a91baad3c379aa7e4944993fca95ae Gerrit-Change-Number: 8294= Gerrit-PatchSet: 2 Gerrit-Owner: Laszlo Gaal Gerrit-Reviewer: Alex Behm Gerrit-Reviewer: = David Knupp Gerrit-Reviewer: Jim Apple Gerrit-Reviewer: Joe McDonnell Gerrit-Reviewer: Lars Volker Gerrit-Reviewer: Laszl= o Gaal Gerrit-Reviewer: Michael Brown Gerrit-Reviewer: Philip Zeyliger G= errit-Reviewer: Sailesh Mukil Gerrit-Reviewer: Tim= Armstrong Gerrit-Comment-Date: Wed, 08 Nov 201= 7 21:40:40 +0000 Gerrit-HasComments: Yes --7BuI1/8dlfA=--