You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Gabor Bota (JIRA)" <ji...@apache.org> on 2019/01/08 15:32:00 UTC
[jira] [Comment Edited] (HADOOP-14556) S3A to support Delegation
Tokens
[ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16737215#comment-16737215 ]
Gabor Bota edited comment on HADOOP-14556 at 1/8/19 3:31 PM:
-------------------------------------------------------------
Thanks for working on this [~stevel@apache.org]!
Tested the newest patch against eu-west-1 with {{mvn verify -Dparallel-tests -DtestsThreadCount=8 -Ds3guard -Ddynamo -Dauth}} (I usually run tests with these params).
I had the following error:
{noformat}
[ERROR] Tests run: 6, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 20.79 s <<< FAILURE! - in org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens
[ERROR] testCreateAndUseDT(org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens) Time elapsed: 3.484 s <<< ERROR!
java.lang.IllegalStateException: No role ARN defined in fs.s3a.assumed.role.arn
at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:134)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:50)
at org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding.createDelegationToken(AbstractDelegationTokenBinding.java:140)
at org.apache.hadoop.fs.s3a.auth.delegation.S3ADelegationTokens.createDelegationToken(S3ADelegationTokens.java:422)
at org.apache.hadoop.fs.s3a.auth.delegation.ITestSessionDelegationTokens.testCreateAndUseDT(ITestSessionDelegationTokens.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.lang.Thread.run(Thread.java:748)
[ERROR] testSaveLoadTokens(org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens) Time elapsed: 2.145 s <<< ERROR!
java.lang.IllegalStateException: No role ARN defined in fs.s3a.assumed.role.arn
at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:134)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:50)
at org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding.createDelegationToken(AbstractDelegationTokenBinding.java:140)
at org.apache.hadoop.fs.s3a.auth.delegation.S3ADelegationTokens.createDelegationToken(S3ADelegationTokens.java:422)
at org.apache.hadoop.fs.s3a.auth.delegation.ITestSessionDelegationTokens.testSaveLoadTokens(ITestSessionDelegationTokens.java:121)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.lang.Thread.run(Thread.java:748)
{noformat}
But re-running just the {{ITestSessionDelegationTokens}} there were no errors. Could this be a flaky test? (edit: no, this is failing when running the iTests with the params above)
There are also some whitespace and checkstyle issues in the patch.
was (Author: gabor.bota):
Thanks for working on this [~stevel@apache.org]!
Tested the newest patch against eu-west-1 with {{mvn verify -Dparallel-tests -DtestsThreadCount=8 -Ds3guard -Ddynamo -Dauth}} (I usually run tests with these params).
I had the following error:
{noformat}
[ERROR] Tests run: 6, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 20.79 s <<< FAILURE! - in org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens
[ERROR] testCreateAndUseDT(org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens) Time elapsed: 3.484 s <<< ERROR!
java.lang.IllegalStateException: No role ARN defined in fs.s3a.assumed.role.arn
at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:134)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:50)
at org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding.createDelegationToken(AbstractDelegationTokenBinding.java:140)
at org.apache.hadoop.fs.s3a.auth.delegation.S3ADelegationTokens.createDelegationToken(S3ADelegationTokens.java:422)
at org.apache.hadoop.fs.s3a.auth.delegation.ITestSessionDelegationTokens.testCreateAndUseDT(ITestSessionDelegationTokens.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.lang.Thread.run(Thread.java:748)
[ERROR] testSaveLoadTokens(org.apache.hadoop.fs.s3a.auth.delegation.ITestRoleDelegationTokens) Time elapsed: 2.145 s <<< ERROR!
java.lang.IllegalStateException: No role ARN defined in fs.s3a.assumed.role.arn
at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:134)
at org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding.createTokenIdentifier(RoleTokenBinding.java:50)
at org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding.createDelegationToken(AbstractDelegationTokenBinding.java:140)
at org.apache.hadoop.fs.s3a.auth.delegation.S3ADelegationTokens.createDelegationToken(S3ADelegationTokens.java:422)
at org.apache.hadoop.fs.s3a.auth.delegation.ITestSessionDelegationTokens.testSaveLoadTokens(ITestSessionDelegationTokens.java:121)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.lang.Thread.run(Thread.java:748)
{noformat}
But re-running just the {{ITestSessionDelegationTokens}} there were no errors. Could this be a flaky test?
There are also some whitespace and checkstyle issues in the patch.
> S3A to support Delegation Tokens
> --------------------------------
>
> Key: HADOOP-14556
> URL: https://issues.apache.org/jira/browse/HADOOP-14556
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.3.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch, HADOOP-14556-003.patch, HADOOP-14556-004.patch, HADOOP-14556-005.patch, HADOOP-14556-007.patch, HADOOP-14556-008.patch, HADOOP-14556-009.patch, HADOOP-14556-010.patch, HADOOP-14556-010.patch, HADOOP-14556-011.patch, HADOOP-14556-012.patch, HADOOP-14556-013.patch, HADOOP-14556-014.patch, HADOOP-14556-015.patch, HADOOP-14556-016.patch, HADOOP-14556-017.patch, HADOOP-14556-018a.patch, HADOOP-14556-019.patch, HADOOP-14556-020.patch, HADOOP-14556-021.patch, HADOOP-14556-022.patch, HADOOP-14556-023.patch, HADOOP-14556-024.patch, HADOOP-14556-025.patch, HADOOP-14556-026.patch, HADOOP-14556-027.patch, HADOOP-14556-028.patch, HADOOP-14556.oath-002.patch, HADOOP-14556.oath.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; these will be saved in the token and marshalled with jobs
> * A new authentication provider will look for a token for the current user and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to the initial duration. Also, as you can't request an STS token from a temporary session, IAM instances won't be able to issue tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org