Skip to content

HADOOP-16478. S3Guard bucket-info fails if the caller lacks s3:GetBucketLocation #1619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

HADOOP-16478. S3Guard bucket-info fails if the caller lacks s3:GetBucketLocation #1619

wants to merge 4 commits into from

Conversation

steveloughran
Copy link
Contributor

-Catch and downgrade to info
-add to javadocs
-review all other uses
-test in ITestAssumeRole; needs to open up a bit more of the tool for this.

Tested s3 ireland. initially tested without the downgrade, to verify the test created the failure mode.

It did:

[ERROR] testBucketLocationForbidden(org.apache.hadoop.fs.s3a.auth.ITestAssumeRole)  Time elapsed: 3.957 s  <<< ERROR!
java.nio.file.AccessDeniedException: hwdev-steve-ireland-new: getBucketLocation() on hwdev-steve-ireland-new: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
	at org.apache.hadoop.fs.s3a.auth.ITestAssumeRole.testBucketLocationForbidden(ITestAssumeRole.java:754)
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; 
	at org.apache.hadoop.fs.s3a.auth.ITestAssumeRole.testBucketLocationForbidden(ITestAssumeRole.java:754)

With the handler in the bucket info tool, the test worked.

@steveloughran steveloughran requested a review from bgaborg October 8, 2019 16:16
@steveloughran
Copy link
Contributor Author

javadoc failure

[WARNING] /home/jenkins/jenkins-slave/workspace/hadoop-multibranch_PR-1619/src/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/S3GuardTool.java:445: warning - Tag @link: reference not found: ExitUtil.ExitException

@steveloughran steveloughran force-pushed the s3/HADOOP-16478-bucket-info branch from 5941c1b to 23d82fd Compare October 11, 2019 14:41
@apache apache deleted a comment from hadoop-yetus Oct 11, 2019
@steveloughran
Copy link
Contributor Author

Also just ran the CLI against a public bucket which blocks this operation

Filesystem s3a://tpcds10g
2019-10-11 17:24:14,361 [main] DEBUG s3a.Invoker (DurationInfo.java:<init>(74)) - Starting: getBucketLocation()
2019-10-11 17:24:14,472 [main] DEBUG s3a.Invoker (DurationInfo.java:close(89)) - getBucketLocation(): duration 0:00.110s
2019-10-11 17:24:14,473 [main] DEBUG s3guard.S3GuardTool (S3GuardTool.java:run(1232)) - failed to get bucket location
java.nio.file.AccessDeniedException: tpcds10g: getBucketLocation() on tpcds10g: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: CE32462FD451F00D; S3 Extended Request ID: /pM+yWUtyByovVFTzOHPDDEQhzQAuF9zVrimxhbzaX6b8iYv6pgGO9cNbhL30eZ9wOTBcGpyvIY=), S3 Extended Request ID: /pM+yWUtyByovVFTzOHPDDEQhzQAuF9zVrimxhbzaX6b8iYv6pgGO9cNbhL30eZ9wOTBcGpyvIY=:AccessDenied
	at org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:244)
	at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:112)
	at org.apache.hadoop.fs.s3a.Invoker.lambda$retry$4(Invoker.java:315)
	at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:407)
	at org.apache.hadoop.fs.s3a.Invoker.retry(Invoker.java:311)
	at org.apache.hadoop.fs.s3a.Invoker.retry(Invoker.java:286)
	at org.apache.hadoop.fs.s3a.S3AFileSystem.getBucketLocation(S3AFileSystem.java:741)
	at org.apache.hadoop.fs.s3a.S3AFileSystem.getBucketLocation(S3AFileSystem.java:724)
	at org.apache.hadoop.fs.s3a.s3guard.S3GuardTool$BucketInfo.run(S3GuardTool.java:1227)
	at org.apache.hadoop.fs.s3a.s3guard.S3GuardTool.run(S3GuardTool.java:429)
	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
	at org.apache.hadoop.fs.s3a.s3guard.S3GuardTool.run(S3GuardTool.java:1816)
	at org.apache.hadoop.fs.s3a.s3guard.S3GuardTool.main(S3GuardTool.java:1825)
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: CE32462FD451F00D; S3 Extended Request ID: /pM+yWUtyByovVFTzOHPDDEQhzQAuF9zVrimxhbzaX6b8iYv6pgGO9cNbhL30eZ9wOTBcGpyvIY=), S3 Extended Request ID: /pM+yWUtyByovVFTzOHPDDEQhzQAuF9zVrimxhbzaX6b8iYv6pgGO9cNbhL30eZ9wOTBcGpyvIY=
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4920)
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4860)
	at com.amazonaws.services.s3.AmazonS3Client.getBucketLocation(AmazonS3Client.java:999)
	at com.amazonaws.services.s3.AmazonS3Client.getBucketLocation(AmazonS3Client.java:1005)
	at org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$getBucketLocation$3(S3AFileSystem.java:742)
	at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:110)
	... 11 more
Location unknown -caller lacks s3:GetBucketLocation permission
Filesystem s3a://tpcds10g is not using S3Guard
The "magic" committer is supported

S3A Client
	Signing Algorithm: fs.s3a.signing-algorithm=(unset)
	Endpoint: fs.s3a.endpoint=(unset)
	Encryption: fs.s3a.server-side-encryption-algorithm=none
	Input seek policy: fs.s3a.experimental.input.fadvise=normal
	Change Detection Source: fs.s3a.change.detection.source=etag
	Change Detection Mode: fs.s3a.change.detection.mode=server
Delegation token support is disabled

@steveloughran
Copy link
Contributor Author

(note, that stack is at debug, the users just see the location unknown message-

@steveloughran
Copy link
Contributor Author

@sidseth @bgaborg can you look at this. It fixes two real issues

@steveloughran
HADOOP-16478. S3Guard bucket-info fails if the caller lacks s3:GetBuc…
91f3312 
…ketLocation

-Catch and downgrade to info
-add to javadocs
-review all other uses
-test in ITestAssumeRole; needs to open up a bit more of the tool for this.

Change-Id: I0e22ad8bcda23908dce91091fac1db1bf06573d7
@steveloughran
HADOOP-16651. S3 getBucketLocation() can return "US" for us-east.
833e274 
Change-Id: Ifc0dca76e51495ed1a8fc0f077b86bf125deff40
@steveloughran
HADOOP-16478 fix up javadoc warning in S3GuardTool
f2a3951 
Change-Id: I382a8816b6309a78b1def2d0a993ca7e206efd27
@steveloughran
HADOOP-16478 tune patch
b1eb28d 
-review amazon Region.fromValue code and mirror it
-add test for null handling (which comes from the Region code)

Change-Id: Ibf4e72454ad8413b9b7ce4c57ffb6cc23886fe3f
@steveloughran steveloughran force-pushed the s3/HADOOP-16478-bucket-info branch from 5e8d5c9 to b1eb28d Compare October 15, 2019 14:34
@apache apache deleted a comment from hadoop-yetus Oct 15, 2019
@apache apache deleted a comment from hadoop-yetus Oct 15, 2019
@steveloughran
Copy link
Contributor Author

Reviewed myself; minor tuning.

tested: s3 ireland w/ s3guard

@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
0 reexec 2134 Docker mode activated.
_ Prechecks _
+1 dupname 0 No case conflicting files found.
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 3 new or modified test files.
_ trunk Compile Tests _
+1 mvninstall 1080 trunk passed
+1 compile 36 trunk passed
+1 checkstyle 28 trunk passed
+1 mvnsite 41 trunk passed
+1 shadedclient 794 branch has no errors when building and testing our client artifacts.
+1 javadoc 29 trunk passed
0 spotbugs 60 Used deprecated FindBugs config; considering switching to SpotBugs.
+1 findbugs 57 trunk passed
_ Patch Compile Tests _
+1 mvninstall 34 the patch passed
+1 compile 28 the patch passed
+1 javac 28 the patch passed
+1 checkstyle 21 the patch passed
+1 mvnsite 33 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 787 patch has no errors when building and testing our client artifacts.
+1 javadoc 27 hadoop-tools_hadoop-aws generated 0 new + 4 unchanged - 1 fixed = 4 total (was 5)
+1 findbugs 62 the patch passed
_ Other Tests _
+1 unit 89 hadoop-aws in the patch passed.
+1 asflicense 34 The patch does not generate ASF License warnings.
5407
Subsystem Report/Notes
Docker Client=19.03.2 Server=19.03.2 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1619/4/artifact/out/Dockerfile
GITHUB PR #1619
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux ff3661cb80c0 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 336abbd
Default Java 1.8.0_222
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1619/4/testReport/
Max. process+thread count 433 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1619/4/console
versions git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

sidseth
sidseth approved these changes Oct 15, 2019
View reviewed changes
Copy link
Contributor

@sidseth sidseth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. LGTM

@steveloughran
Copy link
Contributor Author

thanks!

@steveloughran steveloughran deleted the s3/HADOOP-16478-bucket-info branch October 15, 2021 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sidseth sidseth sidseth approved these changes

@bgaborg bgaborg Awaiting requested review from bgaborg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@steveloughran @hadoop-yetus @sidseth