Skip to content

HADOOP-17922. Lookup old S3 encryption configs for JCEKS #3462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mehakmeet wants to merge 4 commits into from
Closed

HADOOP-17922. Lookup old S3 encryption configs for JCEKS #3462

mehakmeet wants to merge 4 commits into from

Conversation

@mehakmeet
Copy link
Contributor

@mehakmeet mehakmeet commented Sep 20, 2021

Region: ap-south-1.
mvn clean verify -Dparallel-tests -DtestsThreadCount=4 -Dscale
Used long and short bucket property names for encryption properties for tests.

Tests run: 575, Failures: 0, Errors: 0, Skipped: 5
Tests run: 1477, Failures: 0, Errors: 2, Skipped: 636
Tests run: 151, Failures: 0, Errors: 1, Skipped: 28
CSE:
Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 28.081 s - in org.apache.hadoop.fs.s3a.ITestS3AClientSideEncryptionKms

@mehakmeet
Copy link
Contributor Author

mehakmeet commented Sep 20, 2021
edited
Loading

One commit in a test might be required which is in non-CSE mode, which I am currently running. Apart from that main change is in S3AUtils.java where we are looking up the old values first then using them as default values for the new lookup.

@hadoop-yetus
Copy link

hadoop-yetus commented Sep 20, 2021

🎊 +1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 57s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 8 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 34m 24s trunk passed
+1 💚 compile 0m 43s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 compile 0m 35s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 checkstyle 0m 27s trunk passed
+1 💚 mvnsite 0m 43s trunk passed
+1 💚 javadoc 0m 21s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 31s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 8s trunk passed
+1 💚 shadedclient 22m 7s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 34s the patch passed
+1 💚 compile 0m 38s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javac 0m 38s the patch passed
+1 💚 compile 0m 31s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 javac 0m 31s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 19s the patch passed
+1 💚 mvnsite 0m 35s the patch passed
+1 💚 javadoc 0m 15s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 24s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 10s the patch passed
+1 💚 shadedclient 22m 6s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 2m 49s hadoop-aws in the patch passed.
+1 💚 asflicense 0m 29s The patch does not generate ASF License warnings.
92m 38s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/2/artifact/out/Dockerfile
GITHUB PR #3462
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell
uname Linux c21d23bdc92d 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 6706bc1
Default Java Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/2/testReport/
Max. process+thread count 592 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/2/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

@mehakmeet
Copy link
Contributor Author

mehakmeet commented Sep 20, 2021

CC: @steveloughran @mukund-thakur

@apache apache deleted a comment from hadoop-yetus Sep 21, 2021
steveloughran
steveloughran requested changes Sep 21, 2021
View reviewed changes
Copy link
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all makes sense, I have one change for the docs

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/DefaultS3ClientFactory.java
private static final LogExactlyOnce IGNORE_CSE_WARN = new LogExactlyOnce(LOG);

/** Bucket name. */
private String bucket;
Copy link
Contributor

@steveloughran steveloughran Sep 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

final?

Copy link
Contributor Author

@mehakmeet mehakmeet Sep 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot make it final. Assigning it a value in a method

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/DefaultS3ClientFactory.java Outdated

// Get the encryption method for this bucket.
S3AEncryptionMethods encryptionMethods =
getEncryptionAlgorithm(uri.getHost(), conf);
Copy link
Contributor

@steveloughran steveloughran Sep 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bucket?

@steveloughran
Copy link
Contributor

steveloughran commented Sep 21, 2021

Can I add some text to the per bucket settings override docs for this patch...I'll compose it and add it in a comment

mukund-thakur
mukund-thakur reviewed Sep 21, 2021
View reviewed changes
Copy link
Contributor

@mukund-thakur mukund-thakur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good during review session. Let's add steve's doc.

@steveloughran
Copy link
Contributor

steveloughran commented Sep 21, 2021

and the news is the method propagateBucketOptions() will promote a per-bucket deprecated property to be the new value, because Configuration.set() does the remapping, and thats what the propagation algorithm uses.

So: for encryption options not in jceks files, fs.bucket.BUCKET.fs.s3a.server-side-encryption-algorithm beats the global value of fs.bucket.s3a.encryption.algorithm"

We don't get this for jceks files as there is no propagation, just lookup.

I'm not going to worry about this, except to say "don't...I will add something in my patch which mentions this."

@hadoop-yetus
Copy link

hadoop-yetus commented Sep 21, 2021

🎊 +1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 16s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 8 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 39m 33s trunk passed
+1 💚 compile 0m 56s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 compile 0m 42s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 checkstyle 0m 29s trunk passed
+1 💚 mvnsite 0m 51s trunk passed
+1 💚 javadoc 0m 26s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 37s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 27s trunk passed
+1 💚 shadedclient 25m 54s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 43s the patch passed
+1 💚 compile 0m 47s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javac 0m 47s the patch passed
+1 💚 compile 0m 33s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 javac 0m 33s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 23s the patch passed
+1 💚 mvnsite 0m 41s the patch passed
+1 💚 javadoc 0m 17s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 28s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 32s the patch passed
+1 💚 shadedclient 26m 7s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 3m 18s hadoop-aws in the patch passed.
+1 💚 asflicense 0m 36s The patch does not generate ASF License warnings.
108m 13s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/3/artifact/out/Dockerfile
GITHUB PR #3462
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell
uname Linux 45781b97758d 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 09f877c
Default Java Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/3/testReport/
Max. process+thread count 518 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/3/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

@steveloughran
Copy link
Contributor

steveloughran commented Sep 21, 2021

ok, I've added a patch in #3466 which

  • updates the docs
  • adds tests for deprecation propagation in XML
  • and a test for the same in jceks whose assertions expect the same outcome as for XML
  • so which fail.

What now? I'd like that jceks resolution to be more consistent.

(Oh, what a PITA). CSE is all good; we are just left trying to stabilise option names.

@mehakmeet -can you cherrypick my patch into this PR and switch the failing test to use the new method you've added to look up the encryption settings? Then we can get that method to do what we want.

@mehakmeet
Copy link
Contributor Author

mehakmeet commented Sep 21, 2021

Thanks for the changes @steveloughran.
I did the cherry-pick. One thing to note is that the method used S3AUtils.getEncryptionAlgortihm() does its validation as well, so the Strings provided: "new-key-global" and "old-key-bucket", would cause an unknown encryption method exception. So, I just replaced them with "CSE-KMS" and "SSE-KMS". Still the same test just different string value.

Coming to the tests. As expected the JCEKS test fails and gives the new global priority over old per-bucket configs.

Then we can get that method to do what we want

So, basically, we would now make changes to the way we look-up so that this test passes and per-bucket config old or new gets priority over everything else?
Also, nice docs.

@steveloughran
HADOOP-17922. How are deprecated properties resolved per-bucket?
01d7480 
New unit test suite for propagation

* adds TestBucketConfiguration for conf file propagation (succeeds)
* one for jecks (fails; needs to sync up with the other patch)
* moves over some test cases from ITestS3AConfiguration which
  don't need an FS.

Change-Id: Ie1b6e0d1c655d00fc6d47ce054a1aeba01c71044
@hadoop-yetus
Copy link

hadoop-yetus commented Sep 21, 2021

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 7s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 markdownlint 0m 0s markdownlint was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 10 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 37m 5s trunk passed
+1 💚 compile 0m 52s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 compile 0m 40s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 checkstyle 0m 31s trunk passed
+1 💚 mvnsite 0m 47s trunk passed
+1 💚 javadoc 0m 23s trunk passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 31s trunk passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 20s trunk passed
+1 💚 shadedclient 24m 10s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 39s the patch passed
+1 💚 compile 0m 43s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javac 0m 43s the patch passed
+1 💚 compile 0m 32s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 javac 0m 32s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 21s the patch passed
+1 💚 mvnsite 0m 40s the patch passed
+1 💚 javadoc 0m 16s the patch passed with JDK Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04
+1 💚 javadoc 0m 26s the patch passed with JDK Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
+1 💚 spotbugs 1m 27s the patch passed
+1 💚 shadedclient 24m 21s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 3m 4s /patch-unit-hadoop-tools_hadoop-aws.txt hadoop-aws in the patch passed.
+1 💚 asflicense 0m 34s The patch does not generate ASF License warnings.
101m 7s
Reason Tests
Failed junit tests hadoop.fs.s3a.TestBucketConfiguration
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/4/artifact/out/Dockerfile
GITHUB PR #3462
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell markdownlint
uname Linux 4ac50a9a9329 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 01d7480
Default Java Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.11+9-Ubuntu-0ubuntu2.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_292-8u292-b10-0ubuntu1~20.04-b10
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/4/testReport/
Max. process+thread count 519 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3462/4/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org

This message was automatically generated.

@steveloughran
Copy link
Contributor

steveloughran commented Sep 27, 2021

going to take this and then update with ordering of checks for old props following the exact same ordering as normal props

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mukund-thakur mukund-thakur mukund-thakur left review comments

@steveloughran steveloughran steveloughran requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mehakmeet @hadoop-yetus @steveloughran @mukund-thakur