[jira] [Commented] (HADOOP-14237) S3A Support Shared Instance Profile Credentials Across All Hadoop Nodes

Thu, 02 Aug 2018 17:20:09 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-14237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16567625#comment-16567625
 ] 

Steve Loughran commented on HADOOP-14237:
-----------------------------------------

I'm looking at this again, going to move to 3.3 along with most of the other 
outstainding s3 for 3.2 features.

* I don't like saving the full secrets (unencrypted) to HDFS
* session secrets could work, though of course they'll expire within 24h.
once HADOOP-15883 is in I'm going to revisit HADOOP-14556, which lets the s3a 
client to serialize its secrets as a filesystem delegation token, something 
apps (hive, spark, MR) know to ask for -and which YARN knows how to securely 
marshall to launched apps. With this feature you could launch things into a 
pool of VMs with reduced privilege IAM roles, sending in higher privilege 
credentials with the request. Would that work?

I've also created HADOOP-15650 to cover the issue of better retry logic on 
credential retrieval. I see there's an async option, which might be more 
responsive, but could put even more load on the service unless managed 
carefully. What it could do though, is handle retries much better (though it'd 
also be a more more complicated....)

> S3A Support Shared Instance Profile Credentials Across All Hadoop Nodes
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-14237
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14237
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.0, 3.0.0-alpha1, 3.0.0-alpha2, 2.8.1
>         Environment: EC2, AWS
>            Reporter: Kazuyuki Tanimura
>            Assignee: Kazuyuki Tanimura
>            Priority: Major
>
> When I run a large Hadoop cluster on EC2 instances with IAM Role, it fails 
> getting the instance profile credentials, eventually all jobs on the cluster 
> fail. Since a number of S3A clients (all mappers and reducers) try to get the 
> credentials, the AWS credential endpoint starts responding 5xx and 4xx error 
> codes.
> SharedInstanceProfileCredentialsProvider.java is sort of trying to solve it, 
> but it still does not share the credentials with other EC2 nodes / JVM 
> processes.
> This issue prevents users from creating Hadoop clusters on EC2



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to