[
https://issues.apache.org/jira/browse/HADOOP-15141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-15141:
------------------------------------
Attachment: HADOOP-15141-004.patch
Patch 004; wrap up all the tests that I can think of.
Being able to restrict permissions in tests is interesting, as it means that
given a role ARN with the normal R/W permissions, we could have tests which
assume it but with a restricted policy, such as read only access, or RW to S3
but no DDB access to see what s3guard does. A test team could have fun here.
* Tests for session names + stack trace to troubleshooting if an invalid string
is passed in
* added a test for a restrictive policy and expecting IO to fail.
* factored out duplication in tests for a tighter set of tests, and then added
a description for them all
* Fixed S3AFS.toString() to not NPE when the FS is unintialized, and added a
test for this regular regression. (Found during debugging)
* improved error message on (getFileStatus "/") to include that path, as it was
just including "" as the path, which is useless.
Now you get
{code}
java.nio.file.AccessDeniedException: s3a://hwdev-steve-ireland-new/:
getFileStatus on s3a://hwdev-steve-ireland-new/:
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service:
Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:
F57E52775EF3A83F; S3 Extended Request ID:
tUs++zZ9bzNeBhT3608lk44o74uSr/JPvJw+x2inFtHFCtzvPAi3RmVaZPbwQPVH0klquaYhs1c=),
S3 Extended Request ID:
tUs++zZ9bzNeBhT3608lk44o74uSr/JPvJw+x2inFtHFCtzvPAi3RmVaZPbwQPVH0klquaYhs1c=:AccessDenied
at
org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:215)
{code}
Tested: S3 ireland
> Support IAM Assumed roles in S3A
> --------------------------------
>
> Key: HADOOP-15141
> URL: https://issues.apache.org/jira/browse/HADOOP-15141
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.0.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Attachments: HADOOP-15141-001.patch, HADOOP-15141-002.patch,
> HADOOP-15141-003.patch, HADOOP-15141-004.patch
>
>
> Add the ability to use assumed roles in S3A
> * Add a property fs.s3a.assumed.role.arn for the ARN of the assumed role
> * add a new provider which grabs that and other properties and then creates a
> {{STSAssumeRoleSessionCredentialsProvider}} from it.
> * This also needs to support building up its own list of aws credential
> providers, from a different property; make the changes to S3AUtils for that
> * Tests
> * docs
> * and have the AwsProviderList forward closeable to it.
> * Get picked up automatically by DDB/s3guard
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
