HADOOP-17817. Throw an exception if S3 client-side encryption is enabled on S3Guard enabled bucket

[mehakmeet]

Region: ap-south-1.
All tests initializing S3AFS failed.

Follow up of #2706.

[mehakmeet]

CC: @steveloughran

[steveloughran]

core design good, nice to include the docs. Proposed making the error an IOE and incuding the URI and changing the text

[steveloughran]

Initialize is allowed to throw an IOE; our code tends to expect it.

Can you throw a PathIOE(uri, "S3-CSE cannot be used with S3Guard")

i.e give bucket and problem, but don't propose a solution...leave that to the docs as disabling s3guard is probably the better one, depending on what the user wants

[steveloughran]

+1, pending Yetus being happy. thanks

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 53s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	33m 45s		trunk passed
+1 💚	compile	0m 52s		trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	compile	0m 40s		trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	checkstyle	0m 31s		trunk passed
+1 💚	mvnsite	0m 48s		trunk passed
+1 💚	javadoc	0m 25s		trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javadoc	0m 35s		trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	spotbugs	1m 18s		trunk passed
+1 💚	shadedclient	15m 40s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 39s		the patch passed
+1 💚	compile	0m 44s		the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javac	0m 44s		the patch passed
+1 💚	compile	0m 34s		the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	javac	0m 34s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 21s		the patch passed
+1 💚	mvnsite	0m 38s		the patch passed
+1 💚	javadoc	0m 16s		the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javadoc	0m 26s		the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	spotbugs	1m 23s		the patch passed
+1 💚	shadedclient	17m 24s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	2m 16s		hadoop-aws in the patch passed.
+1 💚	asflicense	0m 34s		The patch does not generate ASF License warnings.
		81m 27s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3239/2/artifact/out/Dockerfile
GITHUB PR	#3239
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell markdownlint
uname	Linux 9072a5b349ac 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 40f1a6a
Default Java	Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3239/2/testReport/
Max. process+thread count	749 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3239/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

[mehakmeet]

Seems like, I've broken tests for S3-CSE ON because alot of S3Guard tests don't require your bucket to be s3guard enabled, and force the metastore to be dynamoDB. My lapse on testing for S3-CSE ON and S3-Guard OFF. I think we should've skipped the S3Guard tests for S3-CSE anyways, so I'll skip all of them in a follow-up PR. The failure is valid, but still, we should skip, what do you think, @steveloughran?

[steveloughran]

hmm. Yes, that'll be an interesting problem.

Either test setup() checks for CSE on and skips the s3guard-enabled tests, or we catch the raised PathIOE and covert that to the skip call. That strategy might work well everywhere, including all contract tests.

Also: did you forget to run the tests? or is it just your test setup isn't S3-CSE? This is where we need broader test configuration coverage, don't we?

[mehakmeet]

I ran the tests in S3-CSE ON S3Guard ON, S3-CSE OFF S3-Guard ON, and S3-CSE OFF S3-Guard OFF. More of a mistake that I thought I had run the S3-CSE ON and S3-Guard OFF test suite.
That's true, don't think anyone would see these failures since you have to set up the CSE configs to cover this type of testing.
What about the case where we have both S3Guard ON and S3 CSE ON btw? Then all tests would fail, should all be skipped then as well?