HADOOP-17822. fs.s3a.acl.default not working after S3A Audit feature #3249

steveloughran · 2021-07-30T12:50:31Z

Fixes the regression caused by HADOOP-17511 by moving where the
cannedACL properties are inited -so guaranteeing that they are valid
before the RequestFactory is created.

Adds

A unit test in TestRequestFactory to verify the ACLs are set
on all file write operations
A new ITestS3ACannedACLs test which verifies that ACLs really
do get all the way through.

steveloughran · 2021-07-30T12:53:37Z

Testing: S3 london; full suite in progress with acls set in auth-keys.xml

Also verified via a "hadoop fs -touchz s3a://stevel-london/acl4" call

<property>
  <name>fs.s3a.acl.default</name>
  <value>LogDeliveryWrite</value>
</property>

then verify through AWS CLI

>  aws s3api get-object-acl --bucket stevel-london --key acl4
GRANTS  FULL_CONTROL
GRANTEE <owner>        CanonicalUser
GRANTS  WRITE
GRANTEE Group   http://acs.amazonaws.com/groups/s3/LogDelivery
GRANTS  READ_ACP
GRANTEE Group   http://acs.amazonaws.com/groups/s3/LogDelivery
OWNER   <owner>

steveloughran · 2021-07-30T12:54:24Z

@mukund-thakur @mehakmeet @bogthe

steveloughran · 2021-07-30T14:42:51Z

rebased onto a few patches behind on trunk, before the CSE support went in. that's triggering failures and I need to differentiate CSE-related regressions and anything from this PR

bogthe

Changes LGTM 👍 .

This change makes a bit of a point with regards to createRequestFactory. Maybe it's better in the future to move to a method which explicitly requires all of its dependencies in the parameters instead of relying on the object's state, i.e. a pure function.

steveloughran · 2021-07-30T17:19:52Z

I've done a full test run with

<property>
  <name>fs.s3a.acl.default</name>
  <value>LogDeliveryWrite</value>
</property>

breaks all assumed role tests because the roles aren't being created with "s3:PutObjectAcl" permission. Fixing this and updating the docs as appropriate. Will need to update the assumed role I test with too

Fixes the regression caused by HADOOP-17511 by moving where the cannedACL properties are inited -so guaranteeing that they are valid before the RequestFactory is created. Adds * A unit test in TestRequestFactory to verify the ACLs are set on all file write operations * A new ITestS3ACannedACLs test which verifies that ACLs really do get all the way through. Change-Id: Ic96bc93edfc182d88f6d4ebc43c594a29f94d2cf

hadoop-yetus · 2021-07-30T21:58:02Z

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	1m 6s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 4 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	12m 26s		Maven dependency ordering for branch
+1 💚	mvninstall	22m 39s		trunk passed
+1 💚	compile	22m 57s		trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	compile	19m 19s		trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	checkstyle	3m 47s		trunk passed
+1 💚	mvnsite	2m 22s		trunk passed
+1 💚	javadoc	1m 33s		trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javadoc	2m 17s		trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	spotbugs	3m 40s		trunk passed
+1 💚	shadedclient	17m 13s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 22s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 33s		the patch passed
+1 💚	compile	22m 1s		the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javac	22m 1s		the patch passed
+1 💚	compile	19m 24s		the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	javac	19m 24s		the patch passed
+1 💚	blanks	0m 1s		The patch has no blanks issues.
+1 💚	checkstyle	3m 46s		the patch passed
+1 💚	mvnsite	2m 21s		the patch passed
+1 💚	xml	0m 1s		The patch has no ill-formed XML file.
+1 💚	javadoc	1m 31s		the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚	javadoc	2m 17s		the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚	spotbugs	4m 5s		the patch passed
+1 💚	shadedclient	17m 10s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	16m 58s		hadoop-common in the patch passed.
+1 💚	unit	2m 28s		hadoop-aws in the patch passed.
+1 💚	asflicense	0m 48s		The patch does not generate ASF License warnings.
		206m 52s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/6/artifact/out/Dockerfile
GITHUB PR	#3249
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell xml spotbugs checkstyle markdownlint
uname	Linux fff2241c118c 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `0af71d6`
Default Java	Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/6/testReport/
Max. process+thread count	1952 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/6/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

mehakmeet

+1, some nit.
Tested on ap-south-1, using #3249 (comment).

"Grants": [
        {
            "Grantee": {
                "ID": "<ID>",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
            },
            "Permission": "READ_ACP"
        }
    ]

hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/ITestS3ACannedACLs.java

mehakmeet · 2021-08-02T05:04:44Z

hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/impl/TestRequestFactory.java

+  }
+
+
+


nit: 2 extra line spaces.

mehakmeet · 2021-08-02T05:20:28Z

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/RolePolicies.java

      STATEMENT_ALL_S3_GET_BUCKET_LOCATION
  );

+  public static final String CANNED_ACL_LOG = "LogDeliveryWrite";


Javadoc to explain the constant?

actually that wasn't in use. I'd also added it to S3ATestConstants and forgot about this one. Cut it

Change-Id: I3174baf5b0f2e10f0199bd5b762e07f762f76c33

mukund-thakur

LGTM +1.
Ran raw tests without setting this new acl key using ap-south-1 bucket. All good apart from some Timeouts because of vpn.

…3249) Fixes the regression caused by HADOOP-17511 by moving where the option fs.s3a.acl.default is read -doing it before the RequestFactory is created. Adds * A unit test in TestRequestFactory to verify the ACLs are set on all file write operations. * A new ITestS3ACannedACLs test which verifies that ACLs really do get all the way through. * S3A Assumed Role delegation tokens to include the IAM permission s3:PutObjectAcl in the generated role. Contributed by Steve Loughran Change-Id: I3abac6a1b9e150b6b6df0af7c2c70093f8f518cb

hadoop-yetus · 2021-08-02T15:49:44Z

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	1m 2s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 4 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	12m 56s		Maven dependency ordering for branch
+1 💚	mvninstall	37m 55s		trunk passed
-1 ❌	compile	29m 18s	/branch-compile-root-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	root in trunk failed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.
-1 ❌	compile	0m 40s	/branch-compile-root-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.txt	root in trunk failed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.
-0 ⚠️	checkstyle	0m 37s	/buildtool-branch-checkstyle-root.txt	The patch fails to run checkstyle in root
-1 ❌	mvnsite	0m 38s	/branch-mvnsite-hadoop-common-project_hadoop-common.txt	hadoop-common in trunk failed.
-1 ❌	mvnsite	0m 38s	/branch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in trunk failed.
-1 ❌	javadoc	0m 46s	/branch-javadoc-hadoop-common-project_hadoop-common-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	hadoop-common in trunk failed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.
-1 ❌	javadoc	0m 43s	/branch-javadoc-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	hadoop-aws in trunk failed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.
-1 ❌	javadoc	0m 39s	/branch-javadoc-hadoop-common-project_hadoop-common-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.txt	hadoop-common in trunk failed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.
-1 ❌	javadoc	0m 42s	/branch-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.txt	hadoop-aws in trunk failed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.
-1 ❌	spotbugs	0m 40s	/branch-spotbugs-hadoop-common-project_hadoop-common.txt	hadoop-common in trunk failed.
-1 ❌	spotbugs	0m 40s	/branch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in trunk failed.
+1 💚	shadedclient	7m 12s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 20s		Maven dependency ordering for patch
-1 ❌	mvninstall	0m 24s	/patch-mvninstall-hadoop-common-project_hadoop-common.txt	hadoop-common in the patch failed.
-1 ❌	compile	18m 3s	/patch-compile-root-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	root in the patch failed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.
-1 ❌	javac	18m 3s	/patch-compile-root-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	root in the patch failed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.
+1 💚	compile	24m 59s		the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
-1 ❌	javac	24m 59s	/results-compile-javac-root-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.txt	root-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~~20.04-b10 with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~~20.04-b10 generated 1793 new + 0 unchanged - 0 fixed = 1793 total (was 0)
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	3m 53s	/results-checkstyle-root.txt	root: The patch generated 5 new + 0 unchanged - 0 fixed = 5 total (was 0)
+1 💚	mvnsite	2m 21s		the patch passed
+1 💚	xml	0m 1s		The patch has no ill-formed XML file.
-1 ❌	javadoc	1m 0s	/results-javadoc-javadoc-hadoop-common-project_hadoop-common-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04.txt	hadoop-common-project_hadoop-common-jdkUbuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 generated 99 new + 0 unchanged - 0 fixed = 99 total (was 0)
-1 ❌	javadoc	0m 38s	/results-javadoc-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10.txt	hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_292-8u292-b10-0ubuntu1~~20.04-b10 with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~~20.04-b10 generated 63 new + 0 unchanged - 0 fixed = 63 total (was 0)
+1 💚	spotbugs	4m 6s		the patch passed
+1 💚	shadedclient	17m 26s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	17m 17s		hadoop-common in the patch passed.
+1 💚	unit	2m 43s		hadoop-aws in the patch passed.
+1 💚	asflicense	0m 48s		The patch does not generate ASF License warnings.
		189m 50s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/7/artifact/out/Dockerfile
GITHUB PR	#3249
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell xml spotbugs checkstyle markdownlint
uname	Linux b2e110c8740a 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `eb146aa`
Default Java	Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/7/testReport/
Max. process+thread count	3137 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3249/7/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

steveloughran · 2021-08-03T10:28:32Z

have I just broken everything?

bogthe · 2021-08-03T17:40:29Z

It is not you, it is we! So did anything break? I ran re-ran the tests on a PR up to date with trunk and nothing suspicious broke.

steveloughran · 2021-08-03T20:22:08Z

ok. If it was a full breakage someone would have noticed, rolled back, re-opened, emailed me etc. It does happen from time to time.

…pache#3249) Fixes the regression caused by HADOOP-17511 by moving where the option fs.s3a.acl.default is read -doing it before the RequestFactory is created. Adds * A unit test in TestRequestFactory to verify the ACLs are set on all file write operations. * A new ITestS3ACannedACLs test which verifies that ACLs really do get all the way through. * S3A Assumed Role delegation tokens to include the IAM permission s3:PutObjectAcl in the generated role. Contributed by Steve Loughran

apache#2807) The S3A connector supports "an auditor", a plugin which is invoked at the start of every filesystem API call, and whose issued "audit span" provides a context for all REST operations against the S3 object store. The standard auditor sets the HTTP Referrer header on the requests with information about the API call, such as process ID, operation name, path, and even job ID. If the S3 bucket is configured to log requests, this information will be preserved there and so can be used to analyze and troubleshoot storage IO. Contributed by Steve Loughran. MUST be followed by: CDPD-28457. HADOOP-17822. fs.s3a.acl.default not working after S3A Audit feature (apache#3249) CDPD-24982. HADOOP-17801. No error message reported when bucket doesn't exist in S3AFS Conflicts: hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Listing.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AInputStream.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/WriteOperationHelper.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/commit/AbstractS3ACommitter.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/AbstractStoreOperation.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/DeleteOperation.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/RenameOperation.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/StoreContext.java hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/DynamoDBMetadataStore.java hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/impl/TestPartialDeleteFailures.java Mostly related to shaded guava. this patch really needs CDPD-10473. HADOOP-16645. S3A Delegation Token extension point to use StoreContext; had to CP a file in, and even then the auditing may not be complete there. Will revisit, even though Knox and Ranger will both need a matching change Change-Id: Ic0a105c194342ed2d529833ecc42608e8ba2f258

…dit feature (apache#3249) Fixes the regression caused by HADOOP-17511 by moving where the option fs.s3a.acl.default is read -doing it before the RequestFactory is created. Adds * A unit test in TestRequestFactory to verify the ACLs are set on all file write operations. * A new ITestS3ACannedACLs test which verifies that ACLs really do get all the way through. * S3A Assumed Role delegation tokens to include the IAM permission s3:PutObjectAcl in the generated role. Contributed by Steve Loughran Change-Id: I3abac6a1b9e150b6b6df0af7c2c70093f8f518cb

steveloughran force-pushed the s3/HADOOP-17822-acls branch from 3ffb85e to 1ed1e66 Compare July 30, 2021 14:35

bogthe approved these changes Jul 30, 2021

View reviewed changes

apache deleted a comment from hadoop-yetus Jul 30, 2021

steveloughran force-pushed the s3/HADOOP-17822-acls branch from 5cbe4de to 8ad0f7b Compare July 30, 2021 18:25

steveloughran force-pushed the s3/HADOOP-17822-acls branch from 8ad0f7b to 0af71d6 Compare July 30, 2021 18:29

mehakmeet reviewed Aug 2, 2021

View reviewed changes

HADOOP-17822. Mehakmeet feedback

eb146aa

Change-Id: I3174baf5b0f2e10f0199bd5b762e07f762f76c33

mukund-thakur approved these changes Aug 2, 2021

View reviewed changes

steveloughran merged commit 4627e9c into apache:trunk Aug 2, 2021

steveloughran deleted the s3/HADOOP-17822-acls branch October 15, 2021 19:49

Uh oh!

HADOOP-17822. fs.s3a.acl.default not working after S3A Audit feature #3249

HADOOP-17822. fs.s3a.acl.default not working after S3A Audit feature #3249

Uh oh!

Conversation

steveloughran commented Jul 30, 2021

Uh oh!

steveloughran commented Jul 30, 2021

Uh oh!

steveloughran commented Jul 30, 2021

Uh oh!

steveloughran commented Jul 30, 2021

Uh oh!

bogthe left a comment

Choose a reason for hiding this comment

Uh oh!

steveloughran commented Jul 30, 2021

Uh oh!

hadoop-yetus commented Jul 30, 2021

Uh oh!

mehakmeet left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mehakmeet Aug 2, 2021

Choose a reason for hiding this comment

Uh oh!

mehakmeet Aug 2, 2021

Choose a reason for hiding this comment

Uh oh!

steveloughran Aug 2, 2021

Choose a reason for hiding this comment

Uh oh!

mukund-thakur left a comment

Choose a reason for hiding this comment

Uh oh!

hadoop-yetus commented Aug 2, 2021

Uh oh!

steveloughran commented Aug 3, 2021

Uh oh!

bogthe commented Aug 3, 2021

Uh oh!

steveloughran commented Aug 3, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants