HADOOP-16626. S3A ITestRestrictedReadAccess fails

[steveloughran]

Fix up test setup for the restricted access.
-Force load the filesystems early on
-And only add the contract resource if needed.
-Only run the guarded tests if S3Guard is on according to the build.

I had a predecessor which always used the Local store, but it was
hard to set up -you need to share across FS instances-, and you could
never guarantee that it worked the same way with DDB. That patching is
still there -it's just not needed/used for the DDB test runs

Change-Id: I79644ac264f74005775ff194d48f08fe951df0f1

[steveloughran]

Testing s3a ireland
-a full run of everything (kicking off another) with s3guard and ddb
-this test suite with s3guard off, on and local. Verifying that without s3guard, the guarded versions of the tests are not executed

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	37	Docker mode activated.
		_ Prechecks _
+1	dupname	0	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 4 new or modified test files.
		_ trunk Compile Tests _
+1	mvninstall	1239	trunk passed
+1	compile	31	trunk passed
+1	checkstyle	24	trunk passed
+1	mvnsite	37	trunk passed
+1	shadedclient	887	branch has no errors when building and testing our client artifacts.
+1	javadoc	25	trunk passed
0	spotbugs	61	Used deprecated FindBugs config; considering switching to SpotBugs.
+1	findbugs	60	trunk passed
		_ Patch Compile Tests _
+1	mvninstall	32	the patch passed
+1	compile	28	the patch passed
+1	javac	28	the patch passed
-0	checkstyle	21	hadoop-tools/hadoop-aws: The patch generated 4 new + 7 unchanged - 0 fixed = 11 total (was 7)
+1	mvnsite	33	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	870	patch has no errors when building and testing our client artifacts.
+1	javadoc	23	the patch passed
+1	findbugs	62	the patch passed
		_ Other Tests _
+1	unit	84	hadoop-aws in the patch passed.
+1	asflicense	29	The patch does not generate ASF License warnings.
		3623

Subsystem	Report/Notes
Docker	Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/artifact/out/Dockerfile
GITHUB PR	#1587
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname	Linux 2224c2edde8d 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 51eaeca
Default Java	1.8.0_222
checkstyle	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/testReport/
Max. process+thread count	306 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/1/console
versions	git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	37	Docker mode activated.
		_ Prechecks _
+1	dupname	0	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 4 new or modified test files.
		_ trunk Compile Tests _
+1	mvninstall	1085	trunk passed
+1	compile	36	trunk passed
+1	checkstyle	26	trunk passed
+1	mvnsite	42	trunk passed
+1	shadedclient	869	branch has no errors when building and testing our client artifacts.
+1	javadoc	29	trunk passed
0	spotbugs	61	Used deprecated FindBugs config; considering switching to SpotBugs.
+1	findbugs	59	trunk passed
		_ Patch Compile Tests _
+1	mvninstall	33	the patch passed
+1	compile	28	the patch passed
+1	javac	28	the patch passed
-0	checkstyle	20	hadoop-tools/hadoop-aws: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7)
+1	mvnsite	33	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	778	patch has no errors when building and testing our client artifacts.
+1	javadoc	26	the patch passed
+1	findbugs	62	the patch passed
		_ Other Tests _
+1	unit	84	hadoop-aws in the patch passed.
+1	asflicense	34	The patch does not generate ASF License warnings.
		3384

Subsystem	Report/Notes
Docker	Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/artifact/out/Dockerfile
GITHUB PR	#1587
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname	Linux b6e136f4d19e 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 51eaeca
Default Java	1.8.0_222
checkstyle	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/testReport/
Max. process+thread count	401 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/3/console
versions	git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	77	Docker mode activated.
		_ Prechecks _
+1	dupname	1	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 4 new or modified test files.
		_ trunk Compile Tests _
+1	mvninstall	1287	trunk passed
+1	compile	33	trunk passed
+1	checkstyle	24	trunk passed
+1	mvnsite	38	trunk passed
+1	shadedclient	851	branch has no errors when building and testing our client artifacts.
+1	javadoc	25	trunk passed
0	spotbugs	59	Used deprecated FindBugs config; considering switching to SpotBugs.
+1	findbugs	58	trunk passed
		_ Patch Compile Tests _
+1	mvninstall	34	the patch passed
+1	compile	27	the patch passed
+1	javac	27	the patch passed
-0	checkstyle	19	hadoop-tools/hadoop-aws: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7)
+1	mvnsite	32	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	867	patch has no errors when building and testing our client artifacts.
+1	javadoc	22	the patch passed
+1	findbugs	61	the patch passed
		_ Other Tests _
+1	unit	67	hadoop-aws in the patch passed.
+1	asflicense	29	The patch does not generate ASF License warnings.
		3645

Subsystem	Report/Notes
Docker	Client=19.03.2 Server=19.03.2 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/artifact/out/Dockerfile
GITHUB PR	#1587
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname	Linux 1e837cfaecd3 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 51eaeca
Default Java	1.8.0_222
checkstyle	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/testReport/
Max. process+thread count	356 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/2/console
versions	git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

[sidseth]

Looks good to me mostly, without fully understanding the problem which caused this (the resource loading bit unsetting configs, but what was being unset).

1. Cannot comment on the changes in S3AContract from a design POV - don't really know exactly what this intends to. If you think this fits with the design requirements - great.
2. Tests still fail with -Ds3guard (They pass with -Ds3guard -Dauth -Ddynamo)

[ERROR] testNoReadAccess[auth](org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess)  Time elapsed: 1.363 s  <<< ERROR!
java.nio.file.AccessDeniedException: test/testNoReadAccess-auth/noReadDir/emptyDir/: getFileStatus on test/testNoReadAccess-auth/noReadDir/emptyDir/: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Req
uest ID: A2C756FA3DFE842A; S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=), S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=:403 Forbidden
        at org.apache.hadoop.fs.s3a.S3AUtils.translateException(S3AUtils.java:244)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.s3GetFileStatus(S3AFileSystem.java:2777)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.innerGetFileStatus(S3AFileSystem.java:2705)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getFileStatus(S3AFileSystem.java:2589)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.innerListStatus(S3AFileSystem.java:2377)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$listStatus$10(S3AFileSystem.java:2356)
        at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:110)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.listStatus(S3AFileSystem.java:2356)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.lambda$checkBasicFileOperations$3(ITestRestrictedReadAccess.java:403)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.accessDeniedIf(ITestRestrictedReadAccess.java:689)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.checkBasicFileOperations(ITestRestrictedReadAccess.java:402)
        at org.apache.hadoop.fs.s3a.auth.ITestRestrictedReadAccess.testNoReadAccess(ITestRestrictedReadAccess.java:302)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
        at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
        at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: A2C756FA3DFE842A; S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=), S3 Extended Request ID: 0uDlBPTbAhnsw672prqrbd2qpyjIK7zKd6nZ0OGA1A8GX0xSs2DGemc1P4j737YGITJChOUi7HI=
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
        at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4920)
        at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
        at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:1320)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$getObjectMetadata$5(S3AFileSystem.java:1682)
        at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:407)
        at org.apache.hadoop.fs.s3a.Invoker.retryUntranslated(Invoker.java:370)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getObjectMetadata(S3AFileSystem.java:1675)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.getObjectMetadata(S3AFileSystem.java:1651)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.s3GetFileStatus(S3AFileSystem.java:2758)
        ... 25 more

[INFO]
[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR]   ITestRestrictedReadAccess.testNoReadAccess:302->checkBasicFileOperations:402->accessDeniedIf:689->lambda$checkBasicFileOperations$3:403 » AccessDenied
[ERROR]   ITestRestrictedReadAccess.testNoReadAccess:302->checkBasicFileOperations:416->accessDeniedIf:689->lambda$checkBasicFileOperations$4:417 » AccessDenied
[INFO]
[ERROR] Tests run: 3, Failures: 0, Errors: 2, Skipped: 0
[INFO]

[steveloughran]

• we are unsetting any bucket-specific choices of s3guard, so that even when people (me) have it enabled you explicitly

• the problem I've tried to fix was the discovery that Filesyste.get() triggered the load of things like HdfsConfiguration, it's adding of hdfs-default.xml &c, which then reinstated the unset options

• If any XML resource is added to any config created with default resources, all options from core-default, core-site which had been unset are reinstated*

Which of course is entirely unexpected.

Having a look at why things are failing for you, -Ds3guard -Dlocal had been fine for me.

I had problems with this when changing the test because you need to share the same local store instance across the real fs and the restricted one -otherwise the restricted one's cache is empty, so it falls back to s3 checks.

I may just change the test so that it requires s3guard + ddb set on the maven command line to run those guarded tests, and not worry about the local one at all. It's just complicating things too much and especially given the local store cannot be used in production

[steveloughran]

oh, and it does work for me: -Dit.test=ITestRestrictedReadAccess -Ds3guard

I am going to go to only running the guarded tests if -Ds3guard -Ddynamo is set

[steveloughran]

latest patch skips all the s3guard test runs if the store is local; you must be running with DDB enabled for it to work. That is runs without anything or with only -Ds3guard will only run one of the tests; the other two should be reported as skipped. To get all three -run with -dynamo

Made sure there were no DDB bindings in my auth keys files to verify that things are good

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
0	reexec	79	Docker mode activated.
		_ Prechecks _
+1	dupname	0	No case conflicting files found.
+1	@author	0	The patch does not contain any @author tags.
+1	test4tests	0	The patch appears to include 4 new or modified test files.
		_ trunk Compile Tests _
+1	mvninstall	1216	trunk passed
+1	compile	31	trunk passed
+1	checkstyle	23	trunk passed
+1	mvnsite	34	trunk passed
+1	shadedclient	862	branch has no errors when building and testing our client artifacts.
+1	javadoc	24	trunk passed
0	spotbugs	59	Used deprecated FindBugs config; considering switching to SpotBugs.
+1	findbugs	57	trunk passed
		_ Patch Compile Tests _
+1	mvninstall	32	the patch passed
+1	compile	25	the patch passed
+1	javac	25	the patch passed
-0	checkstyle	18	hadoop-tools/hadoop-aws: The patch generated 2 new + 8 unchanged - 0 fixed = 10 total (was 8)
+1	mvnsite	31	the patch passed
+1	whitespace	0	The patch has no whitespace issues.
+1	shadedclient	875	patch has no errors when building and testing our client artifacts.
+1	javadoc	23	the patch passed
+1	findbugs	62	the patch passed
		_ Other Tests _
+1	unit	91	hadoop-aws in the patch passed.
+1	asflicense	29	The patch does not generate ASF License warnings.
		3598

Subsystem	Report/Notes
Docker	Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/artifact/out/Dockerfile
GITHUB PR	#1587
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname	Linux 307a8c77c204 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 10bdc59
Default Java	1.8.0_222
checkstyle	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/artifact/out/diff-checkstyle-hadoop-tools_hadoop-aws.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/testReport/
Max. process+thread count	337 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1587/5/console
versions	git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by	Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

[sidseth]

LGTM. +1

[steveloughran]

thx. will merge; then rebase #1601 on top and use the same explicit disabling of the metastore to ensure test runs always validate the unguarded path there too.

[steveloughran]

merged. And I have learned some facts about Configuration that I didn't want to.

Someone should update the javadocs there...or we add the notion of tombstone markers in the config :)