[
https://issues.apache.org/jira/browse/HADOOP-15642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16567314#comment-16567314
]
Steve Loughran commented on HADOOP-15642:
-----------------------------------------
with this SDK, the new test in HADOOP-15583 for assumed role duration >1h
(correctly) fails, indicating that the client SDK is no longer failing if the
requested duration > 1h.
{code}
at
org.apache.hadoop.test.LambdaTestUtils.intercept(LambdaTestUtils.java:492)
at
org.apache.hadoop.test.LambdaTestUtils.intercept(LambdaTestUtils.java:377)
at
org.apache.hadoop.test.LambdaTestUtils.intercept(LambdaTestUtils.java:446)
at
org.apache.hadoop.fs.s3a.S3ATestUtils.interceptClosing(S3ATestUtils.java:480)
at
org.apache.hadoop.fs.s3a.auth.ITestAssumeRole.expectFileSystemCreateFailure(ITestAssumeRole.java:122)
at
org.apache.hadoop.fs.s3a.auth.ITestAssumeRole.testAssumeRoleThreeHourSessionDuration(ITestAssumeRole.java:267)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at
org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74)
{code}
A test for duration of 36h now fails with a 400 error coming back from the STS
service itself, which implies that SDK isn't doing any checks; it's all in the
service.
{code}
Caused by:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1
validation error detected: Value '129600' at 'durationSeconds' failed to
satisfy constraint: Member must have value less than or equal to 43200
(Service: AWSSecurityTokenService; Status Code: 400; Error Code:
ValidationError; Request ID: 4c6ef3ea-9680-11e8-aa3d-815d32cf1bdf)
{code}
> Update to latest/recent version of aws-sdk for Hadoop 3.2
> ---------------------------------------------------------
>
> Key: HADOOP-15642
> URL: https://issues.apache.org/jira/browse/HADOOP-15642
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: build, fs/s3
> Affects Versions: 3.2.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Blocker
> Attachments: HADOOP-15642-001.patch, HADOOP-15642-003.patch, Screen
> Shot 2018-07-30 at 14.11.22.png
>
>
> Move to a later version of the AWS SDK library for a different set of
> features and issues.
> proposed version: 1.11.375
> One thing which doesn't work on the one we ship with is the ability to create
> assumed role sessions >1h, as there's a check in the client lib for
> role-duration <= 3600 seconds. I'll assume more recent SDKs delegate duration
> checks to the far end.
> see:
> [https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/]
> * assuming later versions will extend assumed role life, docs will need
> changing,
> * Adding a test in HADOOP-15583 which expects an error message if you ask for
> a duration of 3h; this should act as the test to see what happens.
> * think this time would be good to explicitly write down the SDK update
> process
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
