[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15322887#comment-15322887 ] Hudson commented on HADOOP-13237: - SUCCESS: Integrated in Hadoop-trunk-Commit #9936 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/9936/]) HADOOP-13237: s3a initialization against public bucket fails if caller (stevel: rev 656c460c0e79ee144d6ef48d85cec04a1af3b2cc) * hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/TestS3AAWSCredentialsProvider.java * hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/BasicAWSCredentialsProvider.java * hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/index.md * hadoop-common-project/hadoop-common/src/main/resources/core-default.xml * hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java * hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/AnonymousAWSCredentialsProvider.java > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237-branch-2.002.patch, HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15322802#comment-15322802 ] Steve Loughran commented on HADOOP-13237: - (commit in progress, just being strict and testing on every branch before pushing up results) > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237-branch-2.002.patch, HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15322701#comment-15322701 ] Steve Loughran commented on HADOOP-13237: - +1, works for me. > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237-branch-2.002.patch, HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15322621#comment-15322621 ] Steve Loughran commented on HADOOP-13237: - LGTM...doing a test run > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237-branch-2.002.patch, HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15320068#comment-15320068 ] Chris Nauroth commented on HADOOP-13237: I have completed a successful parallel test run against US-west-2. The test failures in the last pre-commit run are unrelated. > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237-branch-2.002.patch, HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319843#comment-15319843 ] Hadoop QA commented on HADOOP-13237: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 28s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 31s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 34s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 42s{color} | {color:green} branch-2 passed with JDK v1.8.0_91 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 26s{color} | {color:green} branch-2 passed with JDK v1.7.0_101 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 27s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 15s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 27s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 7s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 13s{color} | {color:green} branch-2 passed with JDK v1.8.0_91 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 21s{color} | {color:green} branch-2 passed with JDK v1.7.0_101 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 56s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 39s{color} | {color:green} the patch passed with JDK v1.8.0_91 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 25s{color} | {color:green} the patch passed with JDK v1.7.0_101 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 22s{color} | {color:green} root: The patch generated 0 new + 9 unchanged - 2 fixed = 9 total (was 11) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 26s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s{color} | {color:red} The patch has 49 line(s) that end in whitespace. Use git apply --whitespace=fix. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 36s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 6s{color} | {color:green} the patch passed with JDK v1.8.0_91 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 24s{color} | {color:green} the patch passed with JDK v1.7.0_101 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 8m 13s{color} | {color:red} hadoop-common in the patch failed with JDK v1.7.0_101. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 13s{color} | {color:green} hadoop-aws in the patch passed with JDK v1.7.0_101. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 76m 48s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | JDK v1.8.0_91 Timed out junit tests |
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15318089#comment-15318089 ] Steve Loughran commented on HADOOP-13237: - wow, good find. # we could have an anon provider subclass which has the constructor; that would eliminate the need to have a handler. # maybe also: log @ Info? # this should be straightforward to test > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Chris Nauroth >Priority: Minor > Fix For: 2.8.0 > > Attachments: HADOOP-13237.001.patch > > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15315828#comment-15315828 ] Steve Loughran commented on HADOOP-13237: - I don't see us being able to fix this; I've tried to bypass auth or insert fake credentials, and the s3 reads of the public landsat dataset fail at the {{verifyBucketExists()}} call. Command that out and it fails on the first read. That's even though the datasets are visible over http. Assumption: you really need credentials to use the AWS library, even if you are accessing other people's public data. The client is presumably setting up auth without negotiating over requirements at the far end, and bailing out early if there aren't any. And, if you make up credentials, they get rejected s3 side for being invalid. > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Steve Loughran > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15314812#comment-15314812 ] Chris Nauroth commented on HADOOP-13237: This looks to me like {{AnonymousAWSCredentials}} is fundamentally unusable in a {{AWSCredentialsProviderChain}}. The {{AnonymousAWSCredentials}} is hard-coded to return a null key and secret. https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AnonymousAWSCredentials.java#L26-L38 However, the chain is coded to throw an exception if it walks the whole chain and can't find a non-null key and secret. https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AWSCredentialsProviderChain.java#L108-L132 I'd be curious if it works when you swap out the {{credentials = new AWSCredentialsProviderChain(...)}} line for a straight call to {{credentials = new AnonymousAWSCredentialsProvider()}}. If it does, then I think this could be interpreted as a bug in the AWS SDK, and we might consider filing a patch to that project. In the absence of AWS SDK changes, we could have a configuration property like {{fs.s3a.anonymous.access}}, which if true would skip the chain and just create the anonymous provider. Actually, it might be good for anonymous access to be opt-in via configuration anyway, because I expect most deployments wouldn't want anonymous access and would prefer to fail fast so they know to lock down their bucket. > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Steve Loughran > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15314779#comment-15314779 ] Steve Loughran commented on HADOOP-13237: - Should we maybe be more relaxed about failures of verifying a bucket exists on startup? I'll try and experiment with downgrading to a warn and seeing what happens to a test run. Irony: we never see this problem in hadoop-aws test runs, because they only run if you have credentials. > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Steve Loughran > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13237) s3a initialization against public bucket fails if caller lacks any credentials
[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15314772#comment-15314772 ] Steve Loughran commented on HADOOP-13237: - stack {code} 16/06/03 21:40:37 INFO BlockManagerMasterEndpoint: Registering block manager localhost:60011 with 511.1 MB RAM, BlockManagerId(driver, localhost, 60011) 16/06/03 21:40:37 INFO BlockManagerMaster: Registered BlockManager 16/06/03 21:40:39 ERROR S3ALineCount: Failed to execute line count org.apache.hadoop.fs.s3a.AWSClientIOException: doesBucketExist on landsat-pds: com.amazonaws.AmazonClientException: Unable to load AWS credentials from any provider in the chain: Unable to load AWS credentials from any provider in the chain at org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:82) at org.apache.hadoop.fs.s3a.S3AFileSystem.verifyBucketExists(S3AFileSystem.java:300) at org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:267) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2793) at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:101) at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2812) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.spark.cloud.s3.examples.S3ALineCount$.innerMain(S3ALineCount.scala:75) at org.apache.spark.cloud.s3.examples.S3ALineCount$.main(S3ALineCount.scala:50) at org.apache.spark.cloud.s3.examples.S3ALineCount.main(S3ALineCount.scala) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.spark.deploy.SparkSubmit$.org$apache$spark$deploy$SparkSubmit$$runMain(SparkSubmit.scala:731) at org.apache.spark.deploy.SparkSubmit$.doRunMain$1(SparkSubmit.scala:181) at org.apache.spark.deploy.SparkSubmit$.submit(SparkSubmit.scala:206) at org.apache.spark.deploy.SparkSubmit$.main(SparkSubmit.scala:121) at org.apache.spark.deploy.SparkSubmit.main(SparkSubmit.scala) Caused by: com.amazonaws.AmazonClientException: Unable to load AWS credentials from any provider in the chain at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:117) at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3779) at com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1107) at com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:1070) at org.apache.hadoop.fs.s3a.S3AFileSystem.verifyBucketExists(S3AFileSystem.java:288) ... 18 more {code} > s3a initialization against public bucket fails if caller lacks any credentials > -- > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.8.0 >Reporter: Steve Loughran >Assignee: Steve Loughran > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org