Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HADOOP-16626. S3A ITestRestrictedReadAccess fails #1587

Conversation

steveloughran
Copy link
Contributor

Fix up test setup for the restricted access.
-Force load the filesystems early on
-And only add the contract resource if needed.
-Only run the guarded tests if S3Guard is on according to the build.

I had a predecessor which always used the Local store, but it was
hard to set up -you need to share across FS instances-, and you could
never guarantee that it worked the same way with DDB. That patching is
still there -it's just not needed/used for the DDB test runs

Change-Id: I79644ac264f74005775ff194d48f08fe951df0f1

@steveloughran steveloughran requested a review from sidseth October 3, 2019 20:16
@steveloughran steveloughran force-pushed the s3/HADOOP-16626-ITestRestrictedReadAccess branch from aeb7768 to 3e4ae00 Compare October 3, 2019 20:19
@steveloughran
Copy link
Contributor Author

Testing s3a ireland
-a full run of everything (kicking off another) with s3guard and ddb
-this test suite with s3guard off, on and local. Verifying that without s3guard, the guarded versions of the tests are not executed

@steveloughran steveloughran force-pushed the s3/HADOOP-16626-ITestRestrictedReadAccess branch from 3e4ae00 to 9b479aa Compare October 3, 2019 20:22
@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
0 reexec 37 Docker mode activated.
_ Prechecks _
+1 dupname 0 No case conflicting files found.
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 4 new or modified test files.
_ trunk Compile Tests _
+1 mvninstall 1239 trunk passed
+1 compile 31 trunk passed
+1 checkstyle 24 trunk passed
+1 mvnsite 37 trunk passed
+1 shadedclient 887 branch has no errors when building and testing our client artifacts.
+1 javadoc 25 trunk passed
0 spotbugs 61 Used deprecated FindBugs config; considering switching to SpotBugs.
+1 findbugs 60 trunk passed
_ Patch Compile Tests _
+1 mvninstall 32 the patch passed
+1 compile 28 the patch passed
+1 javac 28 the patch passed
-0 checkstyle 21 hadoop-tools/hadoop-aws: The patch generated 4 new + 7 unchanged - 0 fixed = 11 total (was 7)
+1 mvnsite 33 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 870 patch has no errors when building and testing our client artifacts.
+1 javadoc 23 the patch passed
+1 findbugs 62 the patch passed
_ Other Tests _
+1 unit 84 hadoop-aws in the patch passed.
+1 asflicense 29 The patch does not generate ASF License warnings.
3623
Subsystem Report/Notes
Docker Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/artifact/out/Dockerfile
GITHUB PR #1587
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux 2224c2edde8d 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 51eaeca
Default Java 1.8.0_222
checkstyle https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/testReport/
Max. process+thread count 306 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/console
versions git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
0 reexec 37 Docker mode activated.
_ Prechecks _
+1 dupname 0 No case conflicting files found.
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 4 new or modified test files.
_ trunk Compile Tests _
+1 mvninstall 1085 trunk passed
+1 compile 36 trunk passed
+1 checkstyle 26 trunk passed
+1 mvnsite 42 trunk passed
+1 shadedclient 869 branch has no errors when building and testing our client artifacts.
+1 javadoc 29 trunk passed
0 spotbugs 61 Used deprecated FindBugs config; considering switching to SpotBugs.
+1 findbugs 59 trunk passed
_ Patch Compile Tests _
+1 mvninstall 33 the patch passed
+1 compile 28 the patch passed
+1 javac 28 the patch passed
-0 checkstyle 20 hadoop-tools/hadoop-aws: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7)
+1 mvnsite 33 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 778 patch has no errors when building and testing our client artifacts.
+1 javadoc 26 the patch passed
+1 findbugs 62 the patch passed
_ Other Tests _
+1 unit 84 hadoop-aws in the patch passed.
+1 asflicense 34 The patch does not generate ASF License warnings.
3384
Subsystem Report/Notes
Docker Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/artifact/out/Dockerfile
GITHUB PR #1587
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux b6e136f4d19e 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 51eaeca
Default Java 1.8.0_222
checkstyle https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/testReport/
Max. process+thread count 401 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/console
versions git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
0 reexec 77 Docker mode activated.
_ Prechecks _
+1 dupname 1 No case conflicting files found.
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 4 new or modified test files.
_ trunk Compile Tests _
+1 mvninstall 1287 trunk passed
+1 compile 33 trunk passed
+1 checkstyle 24 trunk passed
+1 mvnsite 38 trunk passed
+1 shadedclient 851 branch has no errors when building and testing our client artifacts.
+1 javadoc 25 trunk passed
0 spotbugs 59 Used deprecated FindBugs config; considering switching to SpotBugs.
+1 findbugs 58 trunk passed
_ Patch Compile Tests _
+1 mvninstall 34 the patch passed
+1 compile 27 the patch passed
+1 javac 27 the patch passed
-0 checkstyle 19 hadoop-tools/hadoop-aws: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7)
+1 mvnsite 32 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 867 patch has no errors when building and testing our client artifacts.
+1 javadoc 22 the patch passed
+1 findbugs 61 the patch passed
_ Other Tests _
+1 unit 67 hadoop-aws in the patch passed.
+1 asflicense 29 The patch does not generate ASF License warnings.
3645
Subsystem Report/Notes
Docker Client=19.03.2 Server=19.03.2 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/artifact/out/Dockerfile
GITHUB PR #1587
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux 1e837cfaecd3 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 51eaeca
Default Java 1.8.0_222
checkstyle https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/testReport/
Max. process+thread count 356 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/console
versions git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

@sidseth
Copy link
Contributor

sidseth commented Oct 4, 2019

Looks good to me mostly, without fully understanding the problem which caused this (the resource loading bit unsetting configs, but what was being unset).

  1. Cannot comment on the changes in S3AContract from a design POV - don't really know exactly what this intends to. If you think this fits with the design requirements - great.
  2. Tests still fail with -Ds3guard (They pass with -Ds3guard -Dauth -Ddynamo)
[ERROR] testNoReadAccess[auth](org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess)  Time elapsed: 1.363 s  <<< ERROR!
java.nio.file.AccessDeniedException: test/testNoReadAccess-auth/noReadDir/emptyDir/: getFileStatus on test/testNoReadAccess-auth/noReadDir/emptyDir/: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Req
uest ID: A2C756FA3DFE842A; S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=), S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=:403 Forbidden
        at org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:244)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.s3GetFileStatus(S3AFileSystem.java:2777)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.innerGetFileStatus(S3AFileSystem.java:2705)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getFileStatus(S3AFileSystem.java:2589)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.innerListStatus(S3AFileSystem.java:2377)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$listStatus$10(S3AFileSystem.java:2356)
        at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:110)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.listStatus(S3AFileSystem.java:2356)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.lambda$checkBasicFileOperations$3(ITestRestrictedReadAccess.java:403)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.accessDeniedIf(ITestRestrictedReadAccess.java:689)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.checkBasicFileOperations(ITestRestrictedReadAccess.java:402)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.testNoReadAccess(ITestRestrictedReadAccess.java:302)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
        at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
        at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: A2C756FA3DFE842A; S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=), S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4920)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
        at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1320)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$getObjectMetadata$5(S3AFileSystem.java:1682)
        at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:407)
        at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:370)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getObjectMetadata(S3AFileSystem.java:1675)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getObjectMetadata(S3AFileSystem.java:1651)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.s3GetFileStatus(S3AFileSystem.java:2758)
        ... 25 more

[INFO]
[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR]   ITestRestrictedReadAccess.testNoReadAccess:302->checkBasicFileOperations:402->accessDeniedIf:689->lambda$checkBasicFileOperations$3:403 » AccessDenied
[ERROR]   ITestRestrictedReadAccess.testNoReadAccess:302->checkBasicFileOperations:416->accessDeniedIf:689->lambda$checkBasicFileOperations$4:417 » AccessDenied
[INFO]
[ERROR] Tests run: 3, Failures: 0, Errors: 2, Skipped: 0
[INFO]

@steveloughran
Copy link
Contributor Author

  • we are unsetting any bucket-specific choices of s3guard, so that even when people (me) have it enabled you explicitly

  • the problem I've tried to fix was the discovery that Filesyste.get() triggered the load of things like HdfsConfiguration, it's adding of hdfs-default.xml &c, which then reinstated the unset options

  • If any XML resource is added to any config created with default resources, all options from core-default, core-site which had been unset are reinstated*

Which of course is entirely unexpected.

Having a look at why things are failing for you, -Ds3guard -Dlocal had been fine for me.

I had problems with this when changing the test because you need to share the same local store instance across the real fs and the restricted one -otherwise the restricted one's cache is empty, so it falls back to s3 checks.

I may just change the test so that it requires s3guard + ddb set on the maven command line to run those guarded tests, and not worry about the local one at all. It's just complicating things too much and especially given the local store cannot be used in production

@steveloughran
Copy link
Contributor Author

oh, and it does work for me: -Dit.test=ITestRestrictedReadAccess -Ds3guard

I am going to go to only running the guarded tests if -Ds3guard -Ddynamo is set

@steveloughran
Copy link
Contributor Author

latest patch skips all the s3guard test runs if the store is local; you must be running with DDB enabled for it to work. That is runs without anything or with only -Ds3guard will only run one of the tests; the other two should be reported as skipped. To get all three -run with -dynamo

Made sure there were no DDB bindings in my auth keys files to verify that things are good

-Force load the filesystems early on
-And only add the contract resource if needed.
-Only run the guarded tests if S3Guard is on according to the build.

I had a predecessor which always used the Local store, but it was
hard to set up -you need to share across FS instances-, and you could
never guarantee that it worked the same way with DDB. That patching is
still there -it's just not needed/used for the DDB test runs

Change-Id: I79644ac264f74005775ff194d48f08fe951df0f1
This avoids trying to force all the DDB settings to be consistent
and deal with the problem that the local store isn't coherent across
FS instances.

Change-Id: I50113be53d3d34c1748e498af2075137c3e3afd3
@steveloughran steveloughran force-pushed the s3/HADOOP-16626-ITestRestrictedReadAccess branch from 208c98f to 433f0b3 Compare October 4, 2019 19:02
@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
0 reexec 79 Docker mode activated.
_ Prechecks _
+1 dupname 0 No case conflicting files found.
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 4 new or modified test files.
_ trunk Compile Tests _
+1 mvninstall 1216 trunk passed
+1 compile 31 trunk passed
+1 checkstyle 23 trunk passed
+1 mvnsite 34 trunk passed
+1 shadedclient 862 branch has no errors when building and testing our client artifacts.
+1 javadoc 24 trunk passed
0 spotbugs 59 Used deprecated FindBugs config; considering switching to SpotBugs.
+1 findbugs 57 trunk passed
_ Patch Compile Tests _
+1 mvninstall 32 the patch passed
+1 compile 25 the patch passed
+1 javac 25 the patch passed
-0 checkstyle 18 hadoop-tools/hadoop-aws: The patch generated 2 new + 8 unchanged - 0 fixed = 10 total (was 8)
+1 mvnsite 31 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 875 patch has no errors when building and testing our client artifacts.
+1 javadoc 23 the patch passed
+1 findbugs 62 the patch passed
_ Other Tests _
+1 unit 91 hadoop-aws in the patch passed.
+1 asflicense 29 The patch does not generate ASF License warnings.
3598
Subsystem Report/Notes
Docker Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/artifact/out/Dockerfile
GITHUB PR #1587
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux 307a8c77c204 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 10bdc59
Default Java 1.8.0_222
checkstyle https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/testReport/
Max. process+thread count 337 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/console
versions git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

@sidseth
Copy link
Contributor

sidseth commented Oct 5, 2019

LGTM. +1

@steveloughran
Copy link
Contributor Author

thx. will merge; then rebase #1601 on top and use the same explicit disabling of the metastore to ensure test runs always validate the unguarded path there too.

@steveloughran
Copy link
Contributor Author

merged. And I have learned some facts about Configuration that I didn't want to.

Someone should update the javadocs there...or we add the notion of tombstone markers in the config :)

@steveloughran steveloughran deleted the s3/HADOOP-16626-ITestRestrictedReadAccess branch October 15, 2021 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants