Try anon=True if no credentials are supplied or found

[BENR0]

This PR tries to use anon=True if no credentials are supplied or found in config files

The print statement should probably be changed to a warning also help with the tests would be appreciated.

• Closes ENH: Eliminate the need for anon=True when you might be opening a public bucket & object. #675
• Tests added
• Fully documented

[martindurant]

Actually, it looks simpler that I has feared.

You should be able to make a test by monkeypatch on ProfileProviderBuilder.load_credentials() to make sure anon gets selected.

[martindurant]

Other exceptions might be possible, such as credentials that exist but have expired. I'll test this later (since our corp account has expiring tokens).
Is s3._client_config.signature_version == botocore.UNSIGNED guaranteed to be the same as self.anon ?

[BENR0]

Were you able to test this?

I am not sure if anon is guaranteed to be the same as botocore.UNSIGNED but as far as I could see it seems like it. It would be nice though if somebody with more experience with botocore can confirm this.

[martindurant]

I am suggesting

Suggested change

	if isinstance(err, PermissionError) and s3._client_config.signature_version == botocore.UNSIGNED:
	if isinstance(err, PermissionError) and self.anon:

[martindurant]

Is there a reason to set these values? They will never get used again.

[BENR0]

I added this because the values are used a couple of lines below in the init_kwargs dict. I think it should also work without because somewhere down the line it should be tried to load the credentials from configs like I did above with the credential_resolver but my reasoning was that credentials get loaded from configs here they can directly be supplied and don't need to be checked again later with the credentials resolver.

[martindurant]

Oh wait, but what if the user supplied key/secret/token as kwargs, didn't they get lost here? The kwargs passed to Session above don't include these.

[martindurant]

Actually, is anon=True and there really are no creds, we get to this path too, and

AttributeError: 'NoneType' object has no attribute 'access_key'

[martindurant]

I'm going to look into this...

[martindurant]

Oh wait, but what if the user supplied key/secret/token as kwargs, didn't they get lost here? The kwargs passed to Session above don't include these.

[martindurant]

Actually, is anon=True and there really are no creds, we get to this path too, and

AttributeError: 'NoneType' object has no attribute 'access_key'

[martindurant]

I ended up only doing the lookup when we are certain the user has no creds of their own. How does this look?

[BENR0]

Yes I think that should work. Nice refactor of the PermissionError :-).

So only unittests missing now right?

[bsipocz]

I was so happy to see this feature, but then saw that it got reverted. So just leave this message, that we run into this same problem, too. (But I expect most of the anon=True cases can be hidden away in the client library rather than telling our users to directly work with the parquet files)

[martindurant]

I'm sorry: unfortunately, it led to far more problems than it solved. I'd be happy to see a more solid implementation, if some wants to try.

[BENR0]

@bsipocz I still really would like this also. I am willing to work on this again but I think it seems like I might not have enough knowledge to foresee possible problems as was apparent. I someone is willing to step in and point me in the right direction it would be appreciated. I think the solution itself is not really bad but needs some more refinement.