[SPARK-19739][CORE] propagate S3 session token to cluser

[uncleGen]

What changes were proposed in this pull request?

propagate S3 session token to cluser

How was this patch tested?

existing ut

[steveloughran]

LGTM. Verified option name in org.apache.hadoop.fs.s3a.Constants file; env var name in `com.amazonaws.SDKGlobalConfiguration'

[SparkQA]

Test build #73501 has finished for PR 17080 at commit 0ae5aa7.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[uncleGen]

@steveloughran IMHO, there is no need to use org.apache.hadoop.fs.s3a.Constants and com.amazonaws.SDKGlobalConfiguration, otherwise we will import hadoop-aws and aws-java-sdk-core into Spark core.

I got it wrong

[steveloughran]

I agree. I was just checking the files to make sure the strings were consistent/correct, rather than trusting the documentation

[uncleGen]

@steveloughran OK, my fault, I got it wrong.

[uncleGen]

\cc @srowen

[srowen]

CC @steveloughran who might have an opinion, but if this is just a standard env property and standard S3 property, seems like it doesn't hurt.

[srowen]

Are these debug statements that useful? they don't need to be interpolated strings, FWIW.

[srowen]

You could get this value once, and then check it for null and also use its value. It would avoid duplicating the system prop name. You could also improve the similar check above.

[steveloughran]

@srowen dont worry, been tracking this: I filed the JIRA. Core code is good (i.e. property/env var names).

One thing to bear in mind, the existing code propagates the env vars even if you are submitting work to a cluster running in EC2, which will be using EC2 instance metadata as a source for its credentials. Nobody has publicly complained about that in JIRA/stack overflow, and changing the behaviour may have adverse consequences. This patch does not change that situation

[SparkQA]

Test build #73765 has finished for PR 17080 at commit d8fd8dc.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[vanzin]

Looks good but I'd remove the log statements.

[vanzin]

Mind removing the logs? They don't seem particularly useful.

[uncleGen]

OK. FYI @steveloughran, maybe users can got more datailed error message from aws-sdk.

[SparkQA]

Test build #73797 has finished for PR 17080 at commit 976dc57.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[uncleGen]

cc @vanzin

[srowen]

Merged to master

[steveloughran]

thanks. One thing I realised last night is that logging the session token, even at debug level, would have been a security risk. So it's very good that the log statement got cut, even at the cost of making it slightly harder to track down where credentials came from.

One thing which could be added to all the setters would be the use of Configuration.set(key, value, origin) and set the origin to be something like "Env var $varname on $hostname", so the provenance does get tracked. There's not much which is offered in terms of examining that though; hard to justify