[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials

Fri, 03 Jun 2016 14:08:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314812#comment-15314812
 ] 

Chris Nauroth commented on HADOOP-13237:
----------------------------------------

This looks to me like {{AnonymousAWSCredentials}} is fundamentally unusable in 
a {{AWSCredentialsProviderChain}}.

The {{AnonymousAWSCredentials}} is hard-coded to return a null key and secret.

https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AnonymousAWSCredentials.java#L26-L38

However, the chain is coded to throw an exception if it walks the whole chain 
and can't find a non-null key and secret.

https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AWSCredentialsProviderChain.java#L108-L132

I'd be curious if it works when you swap out the {{credentials = new 
AWSCredentialsProviderChain(...)}} line for a straight call to {{credentials = 
new AnonymousAWSCredentialsProvider()}}.  If it does, then I think this could 
be interpreted as a bug in the AWS SDK, and we might consider filing a patch to 
that project.

In the absence of AWS SDK changes, we could have a configuration property like 
{{fs.s3a.anonymous.access}}, which if true would skip the chain and just create 
the anonymous provider.  Actually, it might be good for anonymous access to be 
opt-in via configuration anyway, because I expect most deployments wouldn't 
want anonymous access and would prefer to fail fast so they know to lock down 
their bucket.

> s3a initialization against public bucket fails if caller lacks any credentials
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-13237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13237
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>
> If an S3 bucket is public, anyone should be able to read from it.
> However, you cannot create an s3a client bonded to a public bucket unless you 
> have some credentials; the {{doesBucketExist()}} check rejects the call.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to