[jira] [Commented] (HADOOP-12548) read s3 creds from a Credential Provider

[Chris Nauroth (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143620#comment-15143620
 ] 

Chris Nauroth commented on HADOOP-12548:
----------------------------------------

# Instead of catching and logging {{IOException}} from the 
{{Configuration#getPassword}} calls, I'm wondering if it makes more sense to 
just let the exceptions propagate up through {{S3AFileSystem#initialize}} and 
let them abort initialization.  Catching and proceeding might put the process 
into unusual states that are difficult for an operator to reason about.  For 
example, suppose the credential provider is a keystore file saved to an HDFS 
URL, and HDFS goes down after successful retrieval of the access key but before 
retrieval of the secret key.  That would leave the process running in a state 
where initialization succeeded, but it doesn't really have complete 
credentials, and access to S3 will fail.
# In {{S3AFileSystem#getAWSAccessKeys}}:
{code}
    if (accessKey == null || secretKey == null) {
      throw new IOException("Cannot find AWS access or secret key. required!");
    }
{code}
I don't think we can throw an exception here if there is no access key/secret 
key in configuration.  This would break environments that don't configure 
credentials in Hadoop configuration and instead rely on one of the other 
providers in the chain, like {{InstanceProfileCredentialsProvider}}.  It's OK 
to construct an instance of {{BasicAWSCredentialsProvider}} using null values.  
It will throw an {{AmazonClientException}} later when anything tries to get 
credentials from it.  The logic of 
{{AWSCredentialsProviderChain#getCredentials}} is to iterate through each 
provider in the chain, try to get credentials from it, and ignore exceptions.  
The first provider that doesn't throw an exception and returns non-null 
credentials will be used.
# Just a minor nit-pick: please use lower-case "test" for the test method names.

> read s3 creds from a Credential Provider
> ----------------------------------------
>
>                 Key: HADOOP-12548
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12548
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs/s3
>            Reporter: Allen Wittenauer
>            Assignee: Larry McCay
>         Attachments: CredentialProviderAPIforS3FS-002.pdf, 
> HADOOP-12548-01.patch, HADOOP-12548-02.patch, HADOOP-12548-03.patch, 
> HADOOP-12548-04.patch, HADOOP-12548-05.patch, HADOOP-12548-06.patch
>
>
> It would be good if we could read s3 creds from a source other than via a 
> java property/Hadoop configuration option



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)