You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/02/18 14:36:02 UTC
[jira] [Work logged] (HADOOP-13887) Encrypt S3A data client-side
with AWS SDK (S3-CSE)
[ https://issues.apache.org/jira/browse/HADOOP-13887?focusedWorklogId=554269&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-554269 ]
ASF GitHub Bot logged work on HADOOP-13887:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 18/Feb/21 14:35
Start Date: 18/Feb/21 14:35
Worklog Time Spent: 10m
Work Description: mehakmeet opened a new pull request #2706:
URL: https://github.com/apache/hadoop/pull/2706
Tests: mvn -T 32 clean verify -Ddynamo -Dauth -Dscale -Dparallel-tests
Region: ap-south-1
```
[INFO] Results:
[INFO]
[WARNING] Tests run: 535, Failures: 0, Errors: 0, Skipped: 5
```
```
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR] ITestS3AEncryptionCSEAsymmetric>ITestS3AEncryptionCSE.testEncryption:48->ITestS3AEncryptionCSE.validateEncryptionForFilesize:82->AbstractS3ATestBase.writeThenReadFile:196->AbstractS3ATestBase.writeThenReadFile:209->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0001/test/testEncryption0 status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0001/test/testEncryption0; isDirectory=false; length=16; replication=1; blocksize=33554432; modification_time=1613656460000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=91f7a9a65b91c2332c572ea76bdbe822 versionId=null expected:<0> but was:<16>
[ERROR] ITestS3AEncryptionCSEAsymmetric>ITestS3AEncryptionCSE.testEncryptionOverRename:63->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0001/test/testEncryptionOverRename status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0001/test/testEncryptionOverRename; isDirectory=false; length=1040; replication=1; blocksize=33554432; modification_time=1613656458000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=97712202251ecc080bbbf909c9000718 versionId=null expected:<1024> but was:<1040>
[ERROR] ITestS3AEncryptionCSEKms>ITestS3AEncryptionCSE.testEncryption:48->ITestS3AEncryptionCSE.validateEncryptionForFilesize:82->AbstractS3ATestBase.writeThenReadFile:196->AbstractS3ATestBase.writeThenReadFile:209->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0001/test/testEncryption0 status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0001/test/testEncryption0; isDirectory=false; length=16; replication=1; blocksize=33554432; modification_time=1613656468000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=74cb30cc19ee58be3bcd462120c16eb7 versionId=null expected:<0> but was:<16>
[ERROR] ITestS3AEncryptionCSEKms>ITestS3AEncryptionCSE.testEncryptionOverRename:63->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0001/test/testEncryptionOverRename status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0001/test/testEncryptionOverRename; isDirectory=false; length=1040; replication=1; blocksize=33554432; modification_time=1613656465000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=d03375638396ae14794cde1a7e5fd4f8 versionId=null expected:<1024> but was:<1040>
[ERROR] ITestS3AEncryptionCSESymmetric>ITestS3AEncryptionCSE.testEncryption:48->ITestS3AEncryptionCSE.validateEncryptionForFilesize:82->AbstractS3ATestBase.writeThenReadFile:196->AbstractS3ATestBase.writeThenReadFile:209->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0002/test/testEncryption0 status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0002/test/testEncryption0; isDirectory=false; length=16; replication=1; blocksize=33554432; modification_time=1613656453000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=ff01163e592622879cd0cdb7005618ca versionId=null expected:<0> but was:<16>
[ERROR] ITestS3AEncryptionCSESymmetric>ITestS3AEncryptionCSE.testEncryptionOverRename:63->Assert.assertEquals:645->Assert.failNotEquals:834->Assert.fail:88 Wrong file length of file s3a://mehakmeet-singh-data/fork-0002/test/testEncryptionOverRename status: S3AFileStatus{path=s3a://mehakmeet-singh-data/fork-0002/test/testEncryptionOverRename; isDirectory=false; length=1040; replication=1; blocksize=33554432; modification_time=1613656451000; access_time=0; owner=mehakmeet.singh; group=mehakmeet.singh; permission=rw-rw-rw-; isSymlink=false; hasAcl=false; isEncrypted=true; isErasureCoded=false} isEmptyDirectory=FALSE eTag=1802986c25982cdacb58aff624626eeb versionId=null expected:<1024> but was:<1040>
```
When we do fs.getFileStatus().getLen() to get the content length of the encrypted file, it is not the same as the original length and hence, the tests are breaking.
```[INFO]
[ERROR] Tests run: 1427, Failures: 7, Errors: 21, Skipped: 458
```
Failures other than S3-CSE tests are config related
```
[ERROR] Errors:
[ERROR] ITestS3AContractRootDir>AbstractContractRootDirectoryTest.testRecursiveRootListing:267 ยป TestTimedOut
[INFO]
[ERROR] Tests run: 151, Failures: 0, Errors: 1, Skipped: 28
```
When I remove the checks for file content Lengths from the tests, the tests run successfully, hence, the Key-wrap Algo and Content Encryption Algo are used as intended successfully.
One possible way we explored to tackle the padding issue was to tweak the s3GetFileStatus call to return a FileStatus with "UNENCRYPTED_CONTENT_LENGTH" header which comes in the user metadata, but this would still break where we don't get these headers to do our tasks. Hence, consistency of content Length needs to be maintained.
P.S: Need more tests to validate that even with tweaking, we are breaking some tests.
CC: @steveloughran
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 554269)
Remaining Estimate: 0h
Time Spent: 10m
> Encrypt S3A data client-side with AWS SDK (S3-CSE)
> --------------------------------------------------
>
> Key: HADOOP-13887
> URL: https://issues.apache.org/jira/browse/HADOOP-13887
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 2.8.0
> Reporter: Jeeyoung Kim
> Assignee: Igor Mazur
> Priority: Minor
> Attachments: HADOOP-13887-002.patch, HADOOP-13887-007.patch, HADOOP-13887-branch-2-003.patch, HADOOP-13897-branch-2-004.patch, HADOOP-13897-branch-2-005.patch, HADOOP-13897-branch-2-006.patch, HADOOP-13897-branch-2-008.patch, HADOOP-13897-branch-2-009.patch, HADOOP-13897-branch-2-010.patch, HADOOP-13897-branch-2-012.patch, HADOOP-13897-branch-2-014.patch, HADOOP-13897-trunk-011.patch, HADOOP-13897-trunk-013.patch, HADOOP-14171-001.patch, S3-CSE Proposal.pdf
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Expose the client-side encryption option documented in Amazon S3 documentation - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
> Currently this is not exposed in Hadoop but it is exposed as an option in AWS Java SDK, which Hadoop currently includes. It should be trivial to propagate this as a parameter passed to the S3client used in S3AFileSystem.java
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org