[ https://issues.apache.org/jira/browse/HADOOP-13237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314812#comment-15314812 ]
Chris Nauroth commented on HADOOP-13237: ---------------------------------------- This looks to me like {{AnonymousAWSCredentials}} is fundamentally unusable in a {{AWSCredentialsProviderChain}}. The {{AnonymousAWSCredentials}} is hard-coded to return a null key and secret. https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AnonymousAWSCredentials.java#L26-L38 However, the chain is coded to throw an exception if it walks the whole chain and can't find a non-null key and secret. https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/AWSCredentialsProviderChain.java#L108-L132 I'd be curious if it works when you swap out the {{credentials = new AWSCredentialsProviderChain(...)}} line for a straight call to {{credentials = new AnonymousAWSCredentialsProvider()}}. If it does, then I think this could be interpreted as a bug in the AWS SDK, and we might consider filing a patch to that project. In the absence of AWS SDK changes, we could have a configuration property like {{fs.s3a.anonymous.access}}, which if true would skip the chain and just create the anonymous provider. Actually, it might be good for anonymous access to be opt-in via configuration anyway, because I expect most deployments wouldn't want anonymous access and would prefer to fail fast so they know to lock down their bucket. > s3a initialization against public bucket fails if caller lacks any credentials > ------------------------------------------------------------------------------ > > Key: HADOOP-13237 > URL: https://issues.apache.org/jira/browse/HADOOP-13237 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 > Affects Versions: 2.8.0 > Reporter: Steve Loughran > Assignee: Steve Loughran > > If an S3 bucket is public, anyone should be able to read from it. > However, you cannot create an s3a client bonded to a public bucket unless you > have some credentials; the {{doesBucketExist()}} check rejects the call. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org