[
https://issues.apache.org/jira/browse/HADOOP-14821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16150952#comment-16150952
]
Aaron Fabbri edited comment on HADOOP-14821 at 9/1/17 6:12 PM:
---------------------------------------------------------------
Edit: I see what you are saying: Failure to access one file causes it to fail
even if subsequent files to allow access.
Also, I thought S3A support for credential providers landed around hadoop 2.8?
(HADOOP-12548) Not sure this will work in 2.7.x even when you get past the
permission issue. Maybe it was backported?
was (Author: fabbri):
It looks like a permissions issue on your .jceks file: it is not readable by
the user your are running the hadoop command as, right?
Also, I thought S3A support for credential providers landed around hadoop 2.8?
(HADOOP-12548) Not sure this will work in 2.7.x even when you get past the
permission issue.
> Executing the command 'hdfs
> -Dhadoop.security.credential.provider.path=file1.jceks,file2.jceks' fails if
> permission is denied to some files
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-14821
> URL: https://issues.apache.org/jira/browse/HADOOP-14821
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs/s3, hdfs-client, security
> Affects Versions: 2.7.3
> Environment: hadoop-common-2.7.3.2.6.0.11-1
> Reporter: Ernani Pereira de Mattos Junior
> Priority: Critical
> Labels: features
>
> =======
> Request Use Case:
> UC1:
> The customer has the path to a directory and subdirectories full of keys. The
> customer knows that he does not have the access to all the keys, but ignoring
> this problem, the customer makes a list of the keys.
> UC1.2:
> The customer in a FIFO manner, try his access to the key provided on the
> list. If the access is granted locally then he can try the login on the s3a.
> UC1.2:
> The customer in a FIFO manner, try his access to the key provided on the
> list. If the access is not granted locally then he will skip the login on the
> s3a and try the next key on the list.
> ===========
> For now, the UC1.2 fails with below exception and does not try the next key:
> {code}
> $ hdfs --loglevel DEBUG dfs
> -Dhadoop.security.credential.provider.path=jceks://hdfs/tmp/aws.jceks,jceks://hdfs/tmp/awst.jceks
> -ls s3a://av-dl-hwx-nprod-anhffpoc-enriched/hive/e_ceod/
> Not retrying because try once and fail.
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
> Permission denied: user=502549376, access=READ,
> inode="/tmp/aws.jceks":admin:hdfs:-rwx------
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
