Skip to content

HADOOP-19282. S3A: STSClientFactory: do not use URIBuilder#7966

Merged
steveloughran merged 1 commit intoapache:trunkfrom
LDVSOFT:aws-dont-depend-on-aws-bundle-shaded-uri-builder
Oct 1, 2025
Merged

HADOOP-19282. S3A: STSClientFactory: do not use URIBuilder#7966
steveloughran merged 1 commit intoapache:trunkfrom
LDVSOFT:aws-dont-depend-on-aws-bundle-shaded-uri-builder

Conversation

@LDVSOFT
Copy link
Contributor

@LDVSOFT LDVSOFT commented Sep 15, 2025

Description of PR

URIBuilder was used from the AWS SDK for Java v2, to be precise from the shaded Apache HTTP Client. It is a problem if a user would like not to use the AWS SDK bundle, since more or less only 3 modules are needed (s3, s3-transfer & sts), but that may cause problems on unshaded dependency versions. Since a URI constructor can achieve the same here I switched it as a preferred option.

How was this patch tested?

I've run the test suite against a eu-west-1 bucket, without scaling/load since the change shouldn't affect that. To be exact, with something like this:

auth-keys.xml 
<configuration>
<property>
    <name>test.fs.s3a.name</name>
    <value>s3a://hadoop-test-‹edited›</value>
</property>

<property>
    <name>test.fs.s3a.encryption.enabled</name>
    <value>false</value>
    <description>Don't wanna</description>
</property>

<property>
    <name>test.fs.s3a.create.acl.enabled</name>
    <value>false</value>
    <description>disabled on server</description>
</property>

<property>
    <name>fs.s3a.endpoint.region</name>
    <value>eu-west-1</value>
</property>

<property>
    <name>fs.s3a.assumed.role.sts.endpoint.region</name>
    <value>eu-west-1</value>
</property>

<property>
    <name>test.sts.endpoint</name>
    <description>Specific endpoint to use for STS requests.</description>
    <value>sts.eu-west-1.amazonaws.com</value>
</property>

<property>
    <name>fs.s3a.assumed.role.sts.endpoint</name>
    <value>${test.sts.endpoint}</value>
</property>

<property>
    <name>fs.contract.test.fs.s3a</name>
    <value>${test.fs.s3a.name}</value>
</property>

<property>
    <!-- Runs under aws-vault --no-session -->
    <name>fs.s3a.aws.credentials.provider</name>
    <value>software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider</value>
</property>

<property>
    <!-- Runs under aws-vault --no-session -->
    <name>fs.s3a.assumed.role.credentials.provider</name>
    <value>software.amazon.awssdk.auth.credentials.EnvironmentVariableCredentialsProvider</value>
</property>

<property>
    <name>fs.s3a.assumed.role.arn</name>
    <value>arn:aws:iam::‹edited›:role/hadoop_test_role_‹edited›</value>
</property>

<!-- is there a typo in the docs? -->
<property>
    <name>fs.s3a.delegation.token.endpoint</name>
    <value>${fs.s3a.assumed.role.sts.endpoint}</value>
</property>
</configuration>

Almost all test pass:

  • I wasn't able to make ITestDelegatedMRJob work. They probably clean out environment somewhere and my environment-provided AWS credentials didn't work. Also it looks parametrized, and I can't tell from the Surefire/Failsafe reports which causes a problem.
  • ITestRoleDelegationInFilesystem/ITestSessionDelegationInFilesystem fail a bit in missmatch2, but I'm really unfamiliar with credentials delegation. Probably lost environment variables on it's way?
  • Sometimes ITestS3APrefetchingInputStream fails with 0 size.
  • To be honest those also don't work for me on trunk!

Given that other tests pass and the scope of the change I think it's fine, and the problem is my test setup misconfiguration. If you know how to fix the setup — I can rerun with some other options.

Also, I've found this bug while repackaging Spark for a local K8S deployment, and with this fix STS configuration options work even if I do replace AWS SDK bundle with only required SDK modules.

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

Sign-off

I give a license to the Apache Software Foundation to use this code, as required under §5 of the Apache License.

P.S.

Re-opened from #7483 where there was a review by @steveloughran.

@LDVSOFT
HADOOP-19282. STSClientFactory: do not use URIBuilder
e000b6a 
URIBuilder was used from the AWS SDK for Java v2, to be precise from the
shaded Apache HTTP Client. It is a problem if a user would like not to
use the AWS SDK bundle, since more or less only 3 modules are needed
(s3, s3-transfer & sts), but that may cause problems on unshaded
dependency versions. Since a URI constructor can achieve the same here I
switched it as a preferred option.
@hadoop-yetus
Copy link

hadoop-yetus commented Sep 15, 2025

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 8m 45s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 34m 25s trunk passed
+1 💚 compile 0m 28s trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚 compile 0m 25s trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚 checkstyle 0m 23s trunk passed
+1 💚 mvnsite 0m 30s trunk passed
+1 💚 javadoc 0m 29s trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚 javadoc 0m 24s trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚 spotbugs 0m 49s trunk passed
+1 💚 shadedclient 21m 29s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 18s the patch passed
+1 💚 compile 0m 23s the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚 javac 0m 23s the patch passed
+1 💚 compile 0m 17s the patch passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚 javac 0m 17s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 14s the patch passed
+1 💚 mvnsite 0m 22s the patch passed
+1 💚 javadoc 0m 19s the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚 javadoc 0m 19s the patch passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚 spotbugs 0m 45s the patch passed
+1 💚 shadedclient 21m 27s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 2m 32s hadoop-aws in the patch passed.
+1 💚 asflicense 0m 27s The patch does not generate ASF License warnings.
96m 27s
Subsystem Report/Notes
Docker ClientAPI=1.51 ServerAPI=1.51 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/artifact/out/Dockerfile
GITHUB PR #7966
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux 119e93a3aae9 5.15.0-143-generic #153-Ubuntu SMP Fri Jun 13 19:10:45 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / e000b6a
Default Java Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/testReport/
Max. process+thread count 555 (vs. ulimit of 5500)
modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7966/1/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@LDVSOFT
Copy link
Contributor Author

LDVSOFT commented Sep 15, 2025

Oh hey, way better CI luck this time around :)

steveloughran
steveloughran approved these changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@steveloughran steveloughran changed the title HADOOP-19282. STSClientFactory: do not use URIBuilder HADOOP-19282. S3A: STSClientFactory: do not use URIBuilder Oct 1, 2025
@steveloughran steveloughran merged commit d115595 into apache:trunk Oct 1, 2025
1 of 3 checks passed
@steveloughran
Copy link
Contributor

steveloughran commented Oct 1, 2025

@LDVSOFT thanks for this -we never want to make those shaded libraries mandatory. If you can sort out the classpath of a leaner deployment -well done!

Those test failures showed you were running them...the prefetch one fails regularly for me too.

The PR Is merged to trunk. If you do a cherrypick PR and retest against branch-3.4 I will merge there too

@steveloughran
Copy link
Contributor

steveloughran commented Oct 1, 2025

also, have you an asf JIRA ID to assign the fix to you there? If not: request one and tell me what it is.

@LDVSOFT
Copy link
Contributor Author

LDVSOFT commented Oct 2, 2025

@steveloughran You're welcome!

About leaner classpath: there are pros and cons. S3A, as far as I see, really only needs AWS SDK modules for s3, s3-manager, sts and whatever those would pull (core, sync/async clients, etc), however since dependencies of those aren't shaded, like in bundle, it may cause other problems I can't recommend to anyone outside as of now (as of now I don't trust Maven to handle this complexity 🤫). Also there is some noise as it seems implementation would prefer a particular good async http client, but don't quote me on that…

Will cherry-pick for 3.4.

I'm not familiar with Jira to understand what ID you mean here, but my username is LDVSoft.

LDVSOFT added a commit to LDVSOFT/hadoop that referenced this pull request Oct 2, 2025
@LDVSOFT
HADOOP-19282. STSClientFactory: do not use URIBuilder (apache#7966)
f70d9c1 
URIBuilder was used from the AWS SDK for Java v2, from the
shaded Apache HTTP Client. 

It is a problem if a user would like not to
use the AWS SDK bundle, since more or less only 3 modules are needed
(s3, s3-transfer & sts), but that may cause problems on unshaded
dependency versions. Since a URI constructor can achieve the same here I
switched it as a preferred option.

Contributed by Lapshin Dmitry
@LDVSOFT LDVSOFT mentioned this pull request Oct 2, 2025
Merged
4 tasks
@steveloughran
Copy link
Contributor

steveloughran commented Oct 2, 2025

@LDVSOFT the reason we use the big jar is just that historically it's been so brittle to things like the version of jackson, httpclient and more -so using the unshaded artifacts would put the SDK in charge of defining the versions of those artifacts for everything.

regarding JIRA ID, your username is what I meant -you are now listed as the author of the patch there.

steveloughran pushed a commit that referenced this pull request Oct 2, 2025
@LDVSOFT
HADOOP-19282. STSClientFactory: do not use URIBuilder (#7966) (#8008)
d4a0da8 
URIBuilder was used from the AWS SDK for Java v2, from the
shaded Apache HTTP Client. 

It is a problem if a user would like not to
use the AWS SDK bundle, since more or less only 3 modules are needed
(s3, s3-transfer & sts), but that may cause problems on unshaded
dependency versions. Since a URI constructor can achieve the same here I
switched it as a preferred option.

Contributed by Lapshin Dmitry
@LDVSOFT LDVSOFT deleted the aws-dont-depend-on-aws-bundle-shaded-uri-builder branch October 3, 2025 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steveloughran steveloughran steveloughran approved these changes

Assignees

No one assigned

Labels

AWS TOOLS trunk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LDVSOFT @hadoop-yetus @steveloughran