[ https://issues.apache.org/jira/browse/HADOOP-14821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16152716#comment-16152716 ]
Steve Loughran commented on HADOOP-14821: ----------------------------------------- Aaron. that looks like an HDP version; fixed the numbers for you This is an interesting policy to think about. # it's clearly an error if you specify a credential provider and your credentials can't be loaded from it # Is it an error if one of the providers fails & they are found elsewhere? As this JIRA says "postpone the failure until the end" # But what about the case: provider load fails and there is some password in the hadoop-config file. Should that fall back too? + [~lmc...@apache.org] for his opinion > Executing the command 'hdfs > -Dhadoop.security.credential.provider.path=file1.jceks,file2.jceks' fails if > permission is denied to some files > ------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-14821 > URL: https://issues.apache.org/jira/browse/HADOOP-14821 > Project: Hadoop Common > Issue Type: Improvement > Components: fs/s3, hdfs-client, security > Affects Versions: 2.8.0 > Reporter: Ernani Pereira de Mattos Junior > Priority: Critical > Labels: features > > ======= > Request Use Case: > UC1: > The customer has the path to a directory and subdirectories full of keys. The > customer knows that he does not have the access to all the keys, but ignoring > this problem, the customer makes a list of the keys. > UC1.2: > The customer in a FIFO manner, try his access to the key provided on the > list. If the access is granted locally then he can try the login on the s3a. > UC1.2: > The customer in a FIFO manner, try his access to the key provided on the > list. If the access is not granted locally then he will skip the login on the > s3a and try the next key on the list. > =========== > For now, the UC1.2 fails with below exception and does not try the next key: > {code} > $ hdfs --loglevel DEBUG dfs > -Dhadoop.security.credential.provider.path=jceks://hdfs/tmp/aws.jceks,jceks://hdfs/tmp/awst.jceks > -ls s3a://av-dl-hwx-nprod-anhffpoc-enriched/hive/e_ceod/ > Not retrying because try once and fail. > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): > Permission denied: user=502549376, access=READ, > inode="/tmp/aws.jceks":admin:hdfs:-rwx------ > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org