[
https://issues.apache.org/jira/browse/HADOOP-15583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16537559#comment-16537559
]
Steve Loughran commented on HADOOP-15583:
-----------------------------------------
Patch 002
Bit more complication here (good and bad). The AWS SDKs don't close credential
providers. Good: we can control cleanup better. Bad: it means that any provider
which kicks off background threads (AssumedRole) will not be closing those
threads down when the FS is closed, which means 1-2 threads/FS instance.
Expensive in long-lived processes which create & destroy filesystem instances.
(good news: AssumedRole is too new for this).
This patch explicitly closes credentials in both S3Guard and FS close, and in
AssumedRole too, and tests all of this by looking at the reference count
values. Testing. S3 Ireland. Having some connectivity problems and some stuff
I've been doing with roles adds some more stack traces for HADOOP-15572.
> S3Guard to get AWS Credential chain from S3AFS
> ----------------------------------------------
>
> Key: HADOOP-15583
> URL: https://issues.apache.org/jira/browse/HADOOP-15583
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.1.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Attachments: HADOOP-15583-001.patch, HADOOP-15583-002.patch
>
>
> S3Guard builds its DDB auth chain itself, which stops it having to worry
> about being created standalone vs part of an S3AFS, but it means its
> authenticators are in a separate chain.
> When you are using short-lived assumed roles or other session credentials
> updated in the S3A FS authentication chain, you need that same set of
> credentials picked up by DDB. Otherwise, at best you are doubling load, at
> worse: the DDB connector may not get refreshed credentials.
> Proposed: {{DynamoDBClientFactory.createDynamoDBClient()}} to take an
> optional ref to aws credentials. If set: don't create a new set.
> There's one little complication here: our {{AWSCredentialProviderList}} list
> is autocloseable; it's close() will go through all children and close them.
> Apparently the AWS S3 client (And hopefully the DDB client) will close this
> when they are closed themselves. If DDB has the same set of credentials as
> the FS, then there could be trouble if they are closed in one place when the
> other still wants to use them.
> Solution; have a use count the uses of the credentials list, starting at one:
> every close() call decrements, and when this hits zero the cleanup is kicked
> off
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
