[jira] [Commented] (HADOOP-19066) AWS SDK V2 - Enabling FIPS should be allowed with central endpoint

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-19066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17825832#comment-17825832
 ] 

ASF GitHub Bot commented on HADOOP-19066:
-----------------------------------------

virajjasani commented on PR #6539:
URL: https://github.com/apache/hadoop/pull/6539#issuecomment-1992594998

   Issue seems with FIPS cases.
   
   FIPS enabled and
   
   1. bucket created on oregon, s3 client configured with `us-east-2` region 
with cross-region access enabled and no endpoint override: things look good
   2. bucket created on london, s3 client configured with `us-east-2` region 
with cross-region access enabled and no endpoint override: fails with
   ```
   Caused by: software.amazon.awssdk.core.exception.SdkClientException: 
Received an UnknownHostException when attempting to interact with a service. 
See cause for the exact endpoint that is failing to resolve. If this is 
happening on an endpoint that previously worked, there may be a network 
connectivity issue or your DNS cache could be storing endpoints for too long.
   ```
   3. bucket created on paris, s3 client configured with `us-east-2` region 
with cross-region access enabled and no endpoint override: fails with
   ```
   Caused by: software.amazon.awssdk.core.exception.SdkClientException: 
Received an UnknownHostException when attempting to interact with a service. 
See cause for the exact endpoint that is failing to resolve. If this is 
happening on an endpoint that previously worked, there may be a network 
connectivity issue or your DNS cache could be storing endpoints for too long.
   ```
   
   will create an SDK issue soon.




> AWS SDK V2 - Enabling FIPS should be allowed with central endpoint
> ------------------------------------------------------------------
>
>                 Key: HADOOP-19066
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19066
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.5.0, 3.4.1
>            Reporter: Viraj Jasani
>            Assignee: Viraj Jasani
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0
>
>
> FIPS support can be enabled by setting "fs.s3a.endpoint.fips". Since the SDK 
> considers overriding endpoint and enabling fips as mutually exclusive, we 
> fail fast if fs.s3a.endpoint is set with fips support (details on 
> HADOOP-18975).
> Now, we no longer override SDK endpoint for central endpoint since we enable 
> cross region access (details on HADOOP-19044) but we would still fail fast if 
> endpoint is central and fips is enabled.
> Changes proposed:
>  * S3A to fail fast only if FIPS is enabled and non-central endpoint is 
> configured.
>  * Tests to ensure S3 bucket is accessible with default region us-east-2 with 
> cross region access (expected with central endpoint).
>  * Document FIPS support with central endpoint on connecting.html.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org