[jira] [Updated] (HADOOP-18705) hadoop-azure: AzureBlobFileSystem should exclude incompatible credential providers when binding DelegationTokenManagers
[ https://issues.apache.org/jira/browse/HADOOP-18705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-18705: Affects Version/s: 3.3.5 > hadoop-azure: AzureBlobFileSystem should exclude incompatible credential > providers when binding DelegationTokenManagers > --- > > Key: HADOOP-18705 > URL: https://issues.apache.org/jira/browse/HADOOP-18705 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.4.0, 3.3.5 >Reporter: Tamas Domok >Assignee: Tamas Domok >Priority: Major > Labels: pull-request-available > > The DelegationTokenManager in AzureBlobFileSystem.initialize() gets the > untouched configuration which may contain a credentialProviderPath config > with incompatible credential providers (e.g.: jceks stored on abfs). This > results in an error: > {quote} > Caused by: org.apache.hadoop.fs.PathIOException: > `jceks://abfs@a@b.c.d/tmp/a.jceks': Recursive load of credential provider; if > loading a JCEKS file, this means that the filesystem connector is trying to > load the same file > {quote} > {code} > this.delegationTokenManager = > abfsConfiguration.getDelegationTokenManager(); > delegationTokenManager.bind(getUri(), configuration); > {code} > The abfsConfiguration excludes the incompatible credential providers already. > Reproduction steps: > {code} > export HADOOP_ROOT_LOGGER=DEBUG,console > hdfs dfs -rm -r -skipTrash /user/qa/sort_input; hadoop jar > hadoop-mapreduce-examples.jar randomwriter > "-Dmapreduce.randomwriter.totalbytes=100" > "-Dhadoop.security.credential.provider.path=jceks://abfs@a@b.c.d/tmp/a.jceks" > /user/qa/sort_input > {code} > Error: > {code} > ... > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3452) > at org.apache.hadoop.fs.FileSystem.access$300(FileSystem.java:162) > at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:3557) > at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:3504) > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:522) > at org.apache.hadoop.fs.Path.getFileSystem(Path.java:361) > at > org.apache.hadoop.security.alias.KeyStoreProvider.initFileSystem(KeyStoreProvider.java:84) > at > org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.(AbstractJavaKeyStoreProvider.java:85) > at > org.apache.hadoop.security.alias.KeyStoreProvider.(KeyStoreProvider.java:49) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:42) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:35) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) > at > org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:91) > at > org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2450) > at > org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2388) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.getTruststorePassword(AbfsIDBClient.java:104) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.initializeAsFullIDBClient(AbstractIDBClient.java:860) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.(AbstractIDBClient.java:139) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.(AbfsIDBClient.java:74) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.getClient(AbfsIDBIntegration.java:287) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.serviceStart(AbfsIDBIntegration.java:240) > at > org.apache.hadoop.service.AbstractService.start(AbstractService.java:194) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.fromDelegationTokenManager(AbfsIDBIntegration.java:205) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBDelegationTokenManager.bind(AbfsIDBDelegationTokenManager.java:66) > at > org.apache.hadoop.fs.azurebfs.extensions.ExtensionHelper.bind(ExtensionHelper.java:54) > at > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3452) > at
[jira] [Updated] (HADOOP-18705) hadoop-azure: AzureBlobFileSystem should exclude incompatible credential providers when binding DelegationTokenManagers
[ https://issues.apache.org/jira/browse/HADOOP-18705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-18705: Component/s: fs/azure (was: tools) > hadoop-azure: AzureBlobFileSystem should exclude incompatible credential > providers when binding DelegationTokenManagers > --- > > Key: HADOOP-18705 > URL: https://issues.apache.org/jira/browse/HADOOP-18705 > Project: Hadoop Common > Issue Type: Bug > Components: fs/azure >Affects Versions: 3.4.0 >Reporter: Tamas Domok >Assignee: Tamas Domok >Priority: Major > Labels: pull-request-available > > The DelegationTokenManager in AzureBlobFileSystem.initialize() gets the > untouched configuration which may contain a credentialProviderPath config > with incompatible credential providers (e.g.: jceks stored on abfs). This > results in an error: > {quote} > Caused by: org.apache.hadoop.fs.PathIOException: > `jceks://abfs@a@b.c.d/tmp/a.jceks': Recursive load of credential provider; if > loading a JCEKS file, this means that the filesystem connector is trying to > load the same file > {quote} > {code} > this.delegationTokenManager = > abfsConfiguration.getDelegationTokenManager(); > delegationTokenManager.bind(getUri(), configuration); > {code} > The abfsConfiguration excludes the incompatible credential providers already. > Reproduction steps: > {code} > export HADOOP_ROOT_LOGGER=DEBUG,console > hdfs dfs -rm -r -skipTrash /user/qa/sort_input; hadoop jar > hadoop-mapreduce-examples.jar randomwriter > "-Dmapreduce.randomwriter.totalbytes=100" > "-Dhadoop.security.credential.provider.path=jceks://abfs@a@b.c.d/tmp/a.jceks" > /user/qa/sort_input > {code} > Error: > {code} > ... > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3452) > at org.apache.hadoop.fs.FileSystem.access$300(FileSystem.java:162) > at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:3557) > at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:3504) > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:522) > at org.apache.hadoop.fs.Path.getFileSystem(Path.java:361) > at > org.apache.hadoop.security.alias.KeyStoreProvider.initFileSystem(KeyStoreProvider.java:84) > at > org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.(AbstractJavaKeyStoreProvider.java:85) > at > org.apache.hadoop.security.alias.KeyStoreProvider.(KeyStoreProvider.java:49) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:42) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:35) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) > at > org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:91) > at > org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2450) > at > org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2388) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.getTruststorePassword(AbfsIDBClient.java:104) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.initializeAsFullIDBClient(AbstractIDBClient.java:860) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.(AbstractIDBClient.java:139) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.(AbfsIDBClient.java:74) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.getClient(AbfsIDBIntegration.java:287) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.serviceStart(AbfsIDBIntegration.java:240) > at > org.apache.hadoop.service.AbstractService.start(AbstractService.java:194) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.fromDelegationTokenManager(AbfsIDBIntegration.java:205) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBDelegationTokenManager.bind(AbfsIDBDelegationTokenManager.java:66) > at > org.apache.hadoop.fs.azurebfs.extensions.ExtensionHelper.bind(ExtensionHelper.java:54) > at > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at
[jira] [Updated] (HADOOP-18705) hadoop-azure: AzureBlobFileSystem should exclude incompatible credential providers when binding DelegationTokenManagers
[ https://issues.apache.org/jira/browse/HADOOP-18705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated HADOOP-18705: Labels: pull-request-available (was: ) > hadoop-azure: AzureBlobFileSystem should exclude incompatible credential > providers when binding DelegationTokenManagers > --- > > Key: HADOOP-18705 > URL: https://issues.apache.org/jira/browse/HADOOP-18705 > Project: Hadoop Common > Issue Type: Bug > Components: tools >Affects Versions: 3.4.0 >Reporter: Tamas Domok >Priority: Major > Labels: pull-request-available > > The DelegationTokenManager in AzureBlobFileSystem.initialize() gets the > untouched configuration which may contain a credentialProviderPath config > with incompatible credential providers (e.g.: jceks stored on abfs). This > results in an error: > {quote} > Caused by: org.apache.hadoop.fs.PathIOException: > `jceks://abfs@a@b.c.d/tmp/a.jceks': Recursive load of credential provider; if > loading a JCEKS file, this means that the filesystem connector is trying to > load the same file > {quote} > {code} > this.delegationTokenManager = > abfsConfiguration.getDelegationTokenManager(); > delegationTokenManager.bind(getUri(), configuration); > {code} > The abfsConfiguration excludes the incompatible credential providers already. > Reproduction steps: > {code} > export HADOOP_ROOT_LOGGER=DEBUG,console > hdfs dfs -rm -r -skipTrash /user/qa/sort_input; hadoop jar > hadoop-mapreduce-examples.jar randomwriter > "-Dmapreduce.randomwriter.totalbytes=100" > "-Dhadoop.security.credential.provider.path=jceks://abfs@a@b.c.d/tmp/a.jceks" > /user/qa/sort_input > {code} > Error: > {code} > ... > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3452) > at org.apache.hadoop.fs.FileSystem.access$300(FileSystem.java:162) > at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:3557) > at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:3504) > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:522) > at org.apache.hadoop.fs.Path.getFileSystem(Path.java:361) > at > org.apache.hadoop.security.alias.KeyStoreProvider.initFileSystem(KeyStoreProvider.java:84) > at > org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.(AbstractJavaKeyStoreProvider.java:85) > at > org.apache.hadoop.security.alias.KeyStoreProvider.(KeyStoreProvider.java:49) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:42) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider.(JavaKeyStoreProvider.java:35) > at > org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:68) > at > org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:91) > at > org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:2450) > at > org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:2388) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.getTruststorePassword(AbfsIDBClient.java:104) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.initializeAsFullIDBClient(AbstractIDBClient.java:860) > at > org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.(AbstractIDBClient.java:139) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBClient.(AbfsIDBClient.java:74) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.getClient(AbfsIDBIntegration.java:287) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.serviceStart(AbfsIDBIntegration.java:240) > at > org.apache.hadoop.service.AbstractService.start(AbstractService.java:194) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBIntegration.fromDelegationTokenManager(AbfsIDBIntegration.java:205) > at > org.apache.knox.gateway.cloud.idbroker.abfs.AbfsIDBDelegationTokenManager.bind(AbfsIDBDelegationTokenManager.java:66) > at > org.apache.hadoop.fs.azurebfs.extensions.ExtensionHelper.bind(ExtensionHelper.java:54) > at > org.apache.hadoop.fs.azurebfs.security.AbfsDelegationTokenManager.bind(AbfsDelegationTokenManager.java:96) > at > org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.initialize(AzureBlobFileSystem.java:224) > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:3452) > at