[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access
[ https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16960914#comment-16960914 ] Hudson commented on HADOOP-16653: - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #17577 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/17577/]) HADOOP-16653. S3Guard DDB overreacts to no tag access (#1660). (github: rev d5e9971e6d98b50de64acbf46154f82208919930) * (edit) hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/auth/ITestAssumeRole.java * (edit) hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/DynamoDBMetadataStoreTableManager.java * (edit) hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/s3guard.md > S3Guard DDB overreacts to no tag access > --- > > Key: HADOOP-16653 > URL: https://issues.apache.org/jira/browse/HADOOP-16653 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 3.3.0 >Reporter: Steve Loughran >Assignee: Gabor Bota >Priority: Minor > > if you don't have permissions to read or write DDB tags it logs a lot every > time you bring up a guarded FS > # we shouldn't worry so much about no tag access if version is there > # if you can't read the tag, no point trying to write -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access
[ https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16960909#comment-16960909 ] Gabor Bota commented on HADOOP-16653: - +1 on PR#1660 from [~ste...@apache.org]. Committing. > S3Guard DDB overreacts to no tag access > --- > > Key: HADOOP-16653 > URL: https://issues.apache.org/jira/browse/HADOOP-16653 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 3.3.0 >Reporter: Steve Loughran >Assignee: Gabor Bota >Priority: Minor > > if you don't have permissions to read or write DDB tags it logs a lot every > time you bring up a guarded FS > # we shouldn't worry so much about no tag access if version is there > # if you can't read the tag, no point trying to write -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access
[ https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16951043#comment-16951043 ] Gabor Bota commented on HADOOP-16653: - It was cleary in the docs, so I'll update that as well: {{s3guard.md}}: {noformat} *Note*: If the user does not have sufficient rights to tag the table, but it can read the tags the initialization of S3Guard will not fail, but there will be no version marker tag on the dynamo table and the following message will be logged on WARN level: ``` Exception during tagging table: {AmazonDynamoDBException exception message} ``` {noformat} > S3Guard DDB overreacts to no tag access > --- > > Key: HADOOP-16653 > URL: https://issues.apache.org/jira/browse/HADOOP-16653 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 3.3.0 >Reporter: Steve Loughran >Assignee: Gabor Bota >Priority: Minor > > if you don't have permissions to read or write DDB tags it logs a lot every > time you bring up a guarded FS > # we shouldn't worry so much about no tag access if version is there > # if you can't read the tag, no point trying to write -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access
[ https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950899#comment-16950899 ] Steve Loughran commented on HADOOP-16653: - Certainly on read access denied, I'd like to see : silence and no attempt to update. What about the sequence: read tag, tag, notfound, attempt write? Let's make that an info not a warning. Warnings create support calls > S3Guard DDB overreacts to no tag access > --- > > Key: HADOOP-16653 > URL: https://issues.apache.org/jira/browse/HADOOP-16653 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 3.3.0 >Reporter: Steve Loughran >Assignee: Gabor Bota >Priority: Minor > > if you don't have permissions to read or write DDB tags it logs a lot every > time you bring up a guarded FS > # we shouldn't worry so much about no tag access if version is there > # if you can't read the tag, no point trying to write -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access
[ https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950897#comment-16950897 ] Steve Loughran commented on HADOOP-16653: - Log {code} 2019-10-14 11:22:44,587 [JUnit-testRestrictDDBTagAccess] WARN s3guard.DynamoDBMetadataStoreTableManager (DynamoDBMetadataStoreTableManager.java:getVersionMarkerFromTags(255)) - Exception while getting tags from the dynamo table: User: arn:aws:sts::980678866538:assumed-role/stevel-s3guard/test is not authorized to perform: dynamodb:ListTagsOfResource on resource: arn:aws:dynamodb:eu-west-1:980678866538:table/hwdev-steve-ireland-new (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: P9V270FPO034B5E55QLRCJK8UVVV4KQNSO5AEMVJF66Q9ASUAAJG) 2019-10-14 11:22:44,587 [JUnit-testRestrictDDBTagAccess] INFO s3guard.DynamoDBMetadataStoreTableManager (DynamoDBMetadataStoreTableManager.java:verifyVersionCompatibility(417)) - Table hwdev-steve-ireland-new contains no version marker TAG but contains compatible version marker ITEM. Restoring the version marker item from item. 2019-10-14 11:22:44,622 [JUnit-testRestrictDDBTagAccess] WARN s3guard.DynamoDBMetadataStoreTableManager (DynamoDBMetadataStoreTableManager.java:tagTableWithVersionMarker(238)) - Exception during tagging table: User: arn:aws:sts::980678866538:assumed-role/stevel-s3guard/test is not authorized to perform: dynamodb:TagResource on resource: arn:aws:dynamodb:eu-west-1:980678866538:table/hwdev-steve-ireland-new (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: {code} > S3Guard DDB overreacts to no tag access > --- > > Key: HADOOP-16653 > URL: https://issues.apache.org/jira/browse/HADOOP-16653 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 >Affects Versions: 3.3.0 >Reporter: Steve Loughran >Assignee: Gabor Bota >Priority: Minor > > if you don't have permissions to read or write DDB tags it logs a lot every > time you bring up a guarded FS > # we shouldn't worry so much about no tag access if version is there > # if you can't read the tag, no point trying to write -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org