[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access

2019-10-28 Thread Hudson (Jira) 


[ 
https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16960914#comment-16960914
 ] 

Hudson commented on HADOOP-16653:
-

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #17577 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/17577/])
HADOOP-16653. S3Guard DDB overreacts to no tag access (#1660). (github: rev 
d5e9971e6d98b50de64acbf46154f82208919930)
* (edit) 
hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/auth/ITestAssumeRole.java
* (edit) 
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/DynamoDBMetadataStoreTableManager.java
* (edit) hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/s3guard.md


> S3Guard DDB overreacts to no tag access
> ---
>
> Key: HADOOP-16653
> URL: https://issues.apache.org/jira/browse/HADOOP-16653
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: fs/s3
>Affects Versions: 3.3.0
>Reporter: Steve Loughran
>Assignee: Gabor Bota
>Priority: Minor
>
> if you don't have permissions to read or write DDB tags it logs a lot every 
> time you bring up a guarded FS
> # we shouldn't worry so much about no tag access if version is there
> # if you can't read the tag, no point trying to write



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access

2019-10-28 Thread Gabor Bota (Jira) 


[ 
https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16960909#comment-16960909
 ] 

Gabor Bota commented on HADOOP-16653:
-

+1 on PR#1660 from [~ste...@apache.org]. Committing.

> S3Guard DDB overreacts to no tag access
> ---
>
> Key: HADOOP-16653
> URL: https://issues.apache.org/jira/browse/HADOOP-16653
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: fs/s3
>Affects Versions: 3.3.0
>Reporter: Steve Loughran
>Assignee: Gabor Bota
>Priority: Minor
>
> if you don't have permissions to read or write DDB tags it logs a lot every 
> time you bring up a guarded FS
> # we shouldn't worry so much about no tag access if version is there
> # if you can't read the tag, no point trying to write



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access

2019-10-14 Thread Gabor Bota (Jira) 


[ 
https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16951043#comment-16951043
 ] 

Gabor Bota commented on HADOOP-16653:
-

It was cleary in the docs, so I'll update that as well: 
{{s3guard.md}}:

{noformat}
*Note*: If the user does not have sufficient rights to tag the table, 
but it can read the tags the initialization of S3Guard will not fail, 
but there will be no version marker tag on the dynamo table and the following 
message will be logged on WARN level:
```
Exception during tagging table: {AmazonDynamoDBException exception message}
```
{noformat}

> S3Guard DDB overreacts to no tag access
> ---
>
> Key: HADOOP-16653
> URL: https://issues.apache.org/jira/browse/HADOOP-16653
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: fs/s3
>Affects Versions: 3.3.0
>Reporter: Steve Loughran
>Assignee: Gabor Bota
>Priority: Minor
>
> if you don't have permissions to read or write DDB tags it logs a lot every 
> time you bring up a guarded FS
> # we shouldn't worry so much about no tag access if version is there
> # if you can't read the tag, no point trying to write



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access

2019-10-14 Thread Steve Loughran (Jira) 


[ 
https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16950899#comment-16950899
 ] 

Steve Loughran commented on HADOOP-16653:
-

Certainly on read access denied, I'd like to see : silence and no attempt to 
update.

What about the sequence: read tag, tag, notfound, attempt write? Let's make 
that an info not a warning. Warnings create support calls

> S3Guard DDB overreacts to no tag access
> ---
>
> Key: HADOOP-16653
> URL: https://issues.apache.org/jira/browse/HADOOP-16653
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: fs/s3
>Affects Versions: 3.3.0
>Reporter: Steve Loughran
>Assignee: Gabor Bota
>Priority: Minor
>
> if you don't have permissions to read or write DDB tags it logs a lot every 
> time you bring up a guarded FS
> # we shouldn't worry so much about no tag access if version is there
> # if you can't read the tag, no point trying to write



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16653) S3Guard DDB overreacts to no tag access

2019-10-14 Thread Steve Loughran (Jira) 


[ 
https://issues.apache.org/jira/browse/HADOOP-16653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16950897#comment-16950897
 ] 

Steve Loughran commented on HADOOP-16653:
-

Log

{code}
2019-10-14 11:22:44,587 [JUnit-testRestrictDDBTagAccess] WARN  
s3guard.DynamoDBMetadataStoreTableManager 
(DynamoDBMetadataStoreTableManager.java:getVersionMarkerFromTags(255)) - 
Exception while getting tags from the dynamo table: User: 
arn:aws:sts::980678866538:assumed-role/stevel-s3guard/test is not authorized to 
perform: dynamodb:ListTagsOfResource on resource: 
arn:aws:dynamodb:eu-west-1:980678866538:table/hwdev-steve-ireland-new (Service: 
AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request 
ID: P9V270FPO034B5E55QLRCJK8UVVV4KQNSO5AEMVJF66Q9ASUAAJG)
2019-10-14 11:22:44,587 [JUnit-testRestrictDDBTagAccess] INFO  
s3guard.DynamoDBMetadataStoreTableManager 
(DynamoDBMetadataStoreTableManager.java:verifyVersionCompatibility(417)) - 
Table hwdev-steve-ireland-new contains no version marker TAG but contains 
compatible version marker ITEM. Restoring the version marker item from item.
2019-10-14 11:22:44,622 [JUnit-testRestrictDDBTagAccess] WARN  
s3guard.DynamoDBMetadataStoreTableManager 
(DynamoDBMetadataStoreTableManager.java:tagTableWithVersionMarker(238)) - 
Exception during tagging table: User: 
arn:aws:sts::980678866538:assumed-role/stevel-s3guard/test is not authorized to 
perform: dynamodb:TagResource on resource: 
arn:aws:dynamodb:eu-west-1:980678866538:table/hwdev-steve-ireland-new (Service: 
AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request 
ID: 
{code}

> S3Guard DDB overreacts to no tag access
> ---
>
> Key: HADOOP-16653
> URL: https://issues.apache.org/jira/browse/HADOOP-16653
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: fs/s3
>Affects Versions: 3.3.0
>Reporter: Steve Loughran
>Assignee: Gabor Bota
>Priority: Minor
>
> if you don't have permissions to read or write DDB tags it logs a lot every 
> time you bring up a guarded FS
> # we shouldn't worry so much about no tag access if version is there
> # if you can't read the tag, no point trying to write



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org