-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glue: Job construct does not honor SparkUIProps S3 prefix when granting S3 access #19862
Comments
Good call. This is a small change but will also require integ testing it to ensure that the correct permissions are applied. |
It would be helpful to have an example script that has spark write logs into the specified path. Trivial scripts do not write to the specified s3 bucket. Otherwise, meaningful integ testing will not be easy. |
I can try to come up with something. The included assertions are not sufficient? |
@raginjason I have made the fix so that the Cloudformation template has the necessary permissions, just like your assertions. However, once deployed, I have not been able to get a job to actually write Spark logs to s3. If your |
…granting S3 access (#26696) The `SparkUIProps.prefix` attribute of `glue.Job` now has a consistent format, is validated, and the bucket ReadWrite role is only given permissions to the folder of the bucket specified by the `prefix` if provided. Adds a suggested format for the prefix: `/foo/bar` and throws and error if the prefix does not start with a `/` or ends without a `/`. This may be a breaking change for users who configured their prefix in a style different than this enforces. However, I believe it is the correct standardization going forward. Closes #19862. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
glue.Job accepts a
SparkUIProps
object as an argument. The job then in turn grants some S3 permissions for thebucket
attribute of this object. Unfortunately, it does not take theprefix
attribute of this object into account for the grant. See:aws-cdk/packages/@aws-cdk/aws-glue/lib/job.ts
Lines 726 to 732 in 9487b39
Expected Behavior
I expect
glue.Job
to include theprefix
attribute of theSparkUIProps
object when granting S3 permissionsCurrent Behavior
glue.Job
grants read-write access to the entirebucket
attribute of theSparkUIProps
object passed to itReproduction Steps
Possible Solution
Change
bucket.grantReadWrite(role);
tobucket.grantReadWrite(role, props.prefix);
Additional Information/Context
No response
CDK CLI Version
1.148.0 (build 69a50f1)
Framework Version
No response
Node.js Version
v14.17.6
OS
OSX
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: