[jira] [Commented] (HADOOP-18373) IOStatisticsContext tuning

Mon, 08 Aug 2022 15:54:29 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577007#comment-17577007
 ] 

ASF GitHub Bot commented on HADOOP-18373:
-----------------------------------------

virajjasani commented on PR #4705:
URL: https://github.com/apache/hadoop/pull/4705#issuecomment-1208699976

   > > InvalidClientTokenId
   > 
   > never seen that; docs say "AWS access key ID provided does not exist in 
our records."
   > 
   > it might be that the arn of the token you are asking for doesn't exist, or 
that you don't have permissions to create sessions for it and it is failing
   
   Thanks @steveloughran. Here is what I did: created role, provided policy, 
created user, provided the same policy. Updated role's trust relationship to 
allow user to perform assume-role on the role.
   Performed assume-role with `aws sts assume-role --role-arn 
arn:aws:iam::{account}:role/{role_name} --role-session-name "{role_name}"` and 
it produced access-key, secret-key and session-token. Used these creds in 
auth-keys.xml, ran `ITestS3ATemporaryCredentials` tests, and testSTS() fails 
with:
   
   ```
   java.nio.file.AccessDeniedException: : request session credentials: 
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 
Cannot call GetSessionToken with session credentials (Service: 
AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request 
ID: 16996a06-fe91-47a7-a938-f4fd0eb0ff94; Proxy: null):AccessDenied
   
        at 
org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:247)
        at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:124)
        at org.apache.hadoop.fs.s3a.Invoker.lambda$retry$4(Invoker.java:376)
        at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:468)
        at org.apache.hadoop.fs.s3a.Invoker.retry(Invoker.java:372)
        at org.apache.hadoop.fs.s3a.Invoker.retry(Invoker.java:347)
        at 
org.apache.hadoop.fs.s3a.auth.STSClientFactory$STSClient.requestSessionCredentials(STSClientFactory.java:202)
        at 
org.apache.hadoop.fs.s3a.ITestS3ATemporaryCredentials.testSTS(ITestS3ATemporaryCredentials.java:133)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
        at 
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at 
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
        at 
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at 
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at 
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:61)
        at 
org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:299)
        at 
org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:293)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.lang.Thread.run(Thread.java:750)
   Caused by: 
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 
Cannot call GetSessionToken with session credentials (Service: 
AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request 
ID: 16996a06-fe91-47a7-a938-f4fd0eb0ff94; Proxy: null)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
        at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
        at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
        at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
        at 
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1727)
        at 
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1694)
        at 
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1683)
        at 
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeGetSessionToken(AWSSecurityTokenServiceClient.java:1621)
        at 
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.getSessionToken(AWSSecurityTokenServiceClient.java:1589)
        at 
org.apache.hadoop.fs.s3a.auth.STSClientFactory$STSClient.lambda$requestSessionCredentials$0(STSClientFactory.java:206)
        at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:122)
        ... 21 more
   
   ```
   
   Perhaps the user (who did the assume-role) doesn't have some specific 
permission?




> IOStatisticsContext tuning
> --------------------------
>
>                 Key: HADOOP-18373
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18373
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3, test
>    Affects Versions: 3.3.9
>            Reporter: Steve Loughran
>            Assignee: Viraj Jasani
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 3.3.9
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Tuning of the IOStatisticsContext code
> h2. change property name  to fs.iostatistics....
> there are other fs.iostatistics options, the new one needs consistent naming
> h2. enable in hadoop-aws
> edit core-site.xml in hadoop-aws/test/resources to always collect context 
> iOStatistics
> This helps qualify the code
> {code}
>         <property>
>           <name>fs.thread.level.iostatistics.enabled</name>
>           <value>true</value>
>         </property>
> {code}
> h3.  IOStatisticsContext to add add static probe to see if it is enabled.
> lets apps know not to bother collecting/reporting



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to