[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
[ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15977804#comment-15977804 ] Mingliang Liu commented on HADOOP-14324: +1 > Switch to fs.s3a.server-side-encryption.key as property for encryption > secret; improve error reporting and diagnostics > -- > > Key: HADOOP-14324 > URL: https://issues.apache.org/jira/browse/HADOOP-14324 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.9.0 >Reporter: Steve Loughran >Assignee: Steve Loughran >Priority: Blocker > Attachments: HADOOP-14324-branch-2-001.patch, > HADOOP-14324-branch-2-002.patch, HADOOP-14324-branch-2-003.patch > > > Before this ships, can we rename {{fs.s3a.server-side-encryption-key}} to > {{fs.s3a.server-side-encryption.key}}. > This makes it consistent with all other .key secrets in S3A. so > * simplifies documentation > * reduces confusion "is it a - or a ."? This confusion is going to surface in > config and support > I know that CDH is shipping with the old key, but it'll be easy for them to > add a deprecation property to handle the migration. I do at least what the > ASF release to be stable before it ships. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
[ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15977640#comment-15977640 ] Hadoop QA commented on HADOOP-14324: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 18s{color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 3 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 5s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 34s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 38s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 46s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 28s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 29s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 30s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 15s{color} | {color:green} branch-2 passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 3s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 8s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 2s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 33s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 7m 10s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 7m 10s{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 1m 31s{color} | {color:orange} root: The patch generated 3 new + 115 unchanged - 0 fixed = 118 total (was 115) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 0s{color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 6s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 22s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 27s{color} | {color:green} hadoop-common in the patch passed with JDK v1.7.0_121. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 29s{color} | {color:green} hadoop-aws in the patch passed with JDK v1.7.0_121. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 29s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 96m 34s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:8515d35 | | JIRA Issue | HADOOP-14324 | | JIRA Patch
[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
[ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15977579#comment-15977579 ] John Zhuge commented on HADOOP-14324: - +1 Patch 003 LGTM with a nit: TestConfigRedcator.java:67-68: Move them to where the existing "fs.s3a" lines are? > Switch to fs.s3a.server-side-encryption.key as property for encryption > secret; improve error reporting and diagnostics > -- > > Key: HADOOP-14324 > URL: https://issues.apache.org/jira/browse/HADOOP-14324 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.9.0 >Reporter: Steve Loughran >Assignee: Steve Loughran >Priority: Blocker > Attachments: HADOOP-14324-branch-2-001.patch, > HADOOP-14324-branch-2-002.patch, HADOOP-14324-branch-2-003.patch > > > Before this ships, can we rename {{fs.s3a.server-side-encryption-key}} to > {{fs.s3a.server-side-encryption.key}}. > This makes it consistent with all other .key secrets in S3A. so > * simplifies documentation > * reduces confusion "is it a - or a ."? This confusion is going to surface in > config and support > I know that CDH is shipping with the old key, but it'll be easy for them to > add a deprecation property to handle the migration. I do at least what the > ASF release to be stable before it ships. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
[ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15977496#comment-15977496 ] Steve Loughran commented on HADOOP-14324: - Example stack trace of the new error. This is running the integration tests against a bucket in AWS london set to mandate AES256; auth-keys enables it too. This breaks the SSEC test setup, which is a separate issue. {code} testEncryption(org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSECBlockOutputStream) Time elapsed: 0.07 sec <<< ERROR! java.io.IOException: AES256 is enabled but an encryption key was set in fs.s3a.server-side-encryption.key (key of length 44 ending with =) at org.apache.hadoop.fs.s3a.S3AUtils.getEncryptionAlgorithm(S3AUtils.java:797) at org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:260) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3242) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:467) at org.apache.hadoop.fs.contract.AbstractBondedFSContract.init(AbstractBondedFSContract.java:72) at org.apache.hadoop.fs.contract.AbstractFSContractTestBase.setup(AbstractFSContractTestBase.java:177) at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24) at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27) at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55) at org.junit.internal.runners.statements.FailOnTimeout$StatementThread.run(FailOnTimeout.java:74) {code} > Switch to fs.s3a.server-side-encryption.key as property for encryption > secret; improve error reporting and diagnostics > -- > > Key: HADOOP-14324 > URL: https://issues.apache.org/jira/browse/HADOOP-14324 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.9.0 >Reporter: Steve Loughran >Assignee: Steve Loughran >Priority: Blocker > Attachments: HADOOP-14324-branch-2-001.patch, > HADOOP-14324-branch-2-002.patch, HADOOP-14324-branch-2-003.patch > > > Before this ships, can we rename {{fs.s3a.server-side-encryption-key}} to > {{fs.s3a.server-side-encryption.key}}. > This makes it consistent with all other .key secrets in S3A. so > * simplifies documentation > * reduces confusion "is it a - or a ."? This confusion is going to surface in > config and support > I know that CDH is shipping with the old key, but it'll be easy for them to > add a deprecation property to handle the migration. I do at least what the > ASF release to be stable before it ships. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
[ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15977454#comment-15977454 ] Steve Loughran commented on HADOOP-14324: - I'm pretty happy with the new code; this is the first place I'm adding a hint of diagnostics on secrets too cases * null password => "null password" * len == 1 => "password of length 1" * len > 1 => "password of length $len ending with ${password[len-1]}" That is: the length of a non-null password is returned, and the last char of it is returned if length >1. The pass is returned; the cost of guess it is reduced by 1 byte, while providing a hint of details on what the pwd is. for any long secret (SSE-C, ultimately *and not in this JIRA* any AWS ID/Key)) doesn't get weakened much. I'm assuming that there are never secrets of just a few bytes, which holds for anything you actually want to secure. > Switch to fs.s3a.server-side-encryption.key as property for encryption > secret; improve error reporting and diagnostics > -- > > Key: HADOOP-14324 > URL: https://issues.apache.org/jira/browse/HADOOP-14324 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 2.9.0 >Reporter: Steve Loughran >Assignee: Steve Loughran >Priority: Blocker > Attachments: HADOOP-14324-branch-2-001.patch, > HADOOP-14324-branch-2-002.patch, HADOOP-14324-branch-2-003.patch > > > Before this ships, can we rename {{fs.s3a.server-side-encryption-key}} to > {{fs.s3a.server-side-encryption.key}}. > This makes it consistent with all other .key secrets in S3A. so > * simplifies documentation > * reduces confusion "is it a - or a ."? This confusion is going to surface in > config and support > I know that CDH is shipping with the old key, but it'll be easy for them to > add a deprecation property to handle the migration. I do at least what the > ASF release to be stable before it ships. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org