hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11038) Support AWS roles to talk to AWS-S3 largely for cross-AWS-account integration
Date Mon, 01 Sep 2014 07:33:22 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14117126#comment-14117126

Hadoop QA commented on HADOOP-11038:

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  against trunk revision 258c7d0.

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include any new or modified
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    {color:red}-1 javac{color:red}.  The patch appears to cause the build to fail.

Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/4619//console

This message is automatically generated.

> Support AWS roles to talk to AWS-S3 largely for cross-AWS-account integration
> -----------------------------------------------------------------------------
>                 Key: HADOOP-11038
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11038
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs
>            Reporter: Vishal Gupta
>         Attachments: HADOOP-11038.1.patch, HADOOP-11038.2.patch
> Currently "hdfs dfs -lsr s3://..." supports acess-keys/secret-keys only as the way to
authenticate to s3. This should support AWS-roles also because of the following reasons :
> 1) AWS-roles is a AWS best-practice and is highly recommended by AWS themselves.
> 2) This helps in cross-AWS-account integration also. An AWS-account-holder can provide
another AWS-account-holder a cross-account-AWS-role to perform operations over his S3-buckets.
> The current syntax is "hdfs dfs" is :
> hdfs  dfs  -Dfs.s3n.awsAccessKeyId=XXXX -Dfs.s3n.awsSecretAccessKey=XXXX -ls  s3n://.../
> This should change to :
> hdfs dfs  -Dfs.s3n.awsAccessKeyId=XXXX -Dfs.s3n.awsSecretAccessKey=XXXX -Dfs.s3n.awsRoleToBeAssumed=arn:aws:iam::XXXX:role/XXXX
-Dfs.s3n.awsExternalId=XXXX -ls s3n://.../
> Extending the use-case a little further, for a client AWS-account to integrate with multiple
different AWS-accounts, configuration for s3-bucket to role-to-be-assumed mapping ( which
will override the master-role ) should be provided :
> hdfs  dfs  -Dfs.s3.awsAccessKeyId=XXXX -Dfs.s3.awsSecretAccessKey=XXXX -Dfs.s3.awsRoleToBeAssumed=arn:aws:iam::XXXX:role/XXXX
-Dfs.s3.awsBucketToRoleMapping="{\"bucket1\": { \"roleName\":\"arn:aws:iam::XXXX:role/role1\",
\"externalId\":\"....\"}}" -ls s3://.../
> Since, AWS treats a cross-account-AWS-role the same as an AWS-role within a AWS-account,
the above flows remain same for a role within a AWS-account.

This message was sent by Atlassian JIRA

View raw message