HADOOP-19197. S3A: Support AWS KMS Encryption Context

[raphaelazzolini]

Add the property fs.s3a.encryption.context that allow users to specify the AWS KMS Encryption Context to be used in S3A.

The value of the encryption context is a key/value string that will be Base64 encoded and set in the parameter ssekmsEncryptionContext from the S3 client.

Contributed by Raphael Azzolini

Description of PR

This code change adds a new property to S3A: fs.s3a.encryption.context\

The property's value accepts a set of key/value attributes to be set on S3's encryption context. The value of the property will be base64 encoded and set in the parameter ssekmsEncryptionContext from the S3 client.

How was this patch tested?

Tested in us-east-1 with mvn -Dparallel-tests -DtestsThreadCount=16 clean verify

I added a new test ITestS3AEncryptionSSEKMSWithEncryptionContext. However, S3's head-object response doesn't contain the object encryption key. Therefore, I enabled CloudTrails data logs in my bucket to verify that the tests were passing the encryption context to the request.

I added this property to auth-keys.xml

<property>
  <name>fs.s3a.encryption.context</name>
  <value>
    project=hadoop,
    jira=HADOOP-19197,
    component=fs/s3
  </value>
</property>

Then I executed the following tests:

mvn clean verify -Dit.test=ITestS3AEncryption* -Dtest=none

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSDefaultKeyWithEncryptionContext
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 19.10 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSDefaultKeyWithEncryptionContext
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEC
[INFO] Tests run: 24, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 48.17 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEC
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionAlgorithmValidation
[WARNING] Tests run: 1, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionAlgorithmValidation
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSUserDefinedKeyWithEncryptionContext
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 7.575 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSUserDefinedKeyWithEncryptionContext
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSDefaultKey
[INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.246 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSDefaultKey
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionWithDefaultS3Settings
[WARNING] Tests run: 5, Failures: 0, Errors: 0, Skipped: 5, Time elapsed: 2.600 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionWithDefaultS3Settings
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSUserDefinedKey
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 7.414 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSEKMSUserDefinedKey
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSES3
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 6.680 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionSSES3
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionDSSEKMSUserDefinedKeyWithEncryptionContext
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 7.538 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionDSSEKMSUserDefinedKeyWithEncryptionContext
[INFO] Running org.apache.hadoop.fs.s3a.ITestS3AEncryptionDSSEKMSUserDefinedKey
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 7.425 s -- in org.apache.hadoop.fs.s3a.ITestS3AEncryptionDSSEKMSUserDefinedKey
[INFO]
[INFO] Results:
[INFO]
[WARNING] Tests run: 53, Failures: 0, Errors: 0, Skipped: 6

mvn clean verify -Dit.test=TestMarshalledCredentials -Dtest=none

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.hadoop.fs.s3a.auth.TestMarshalledCredentials
[INFO] Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.133 s -- in org.apache.hadoop.fs.s3a.auth.TestMarshalledCredentials
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 6, Failures: 0, Errors: 0, Skipped: 0

mvn clean verify -Dit.test=ITestS3AHugeFilesEncryption -Dtest=none

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.hadoop.fs.s3a.scale.ITestS3AHugeFilesEncryption
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 33.04 s -- in org.apache.hadoop.fs.s3a.scale.ITestS3AHugeFilesEncryption
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0

Finally, I verified in the CloudTrail logs, that the encryption context was set for both aws:kms and aws:kms:dsse.

(...)
    {
      "eventTime": "2024-06-08T03:49:49Z",
      "eventSource": "s3.amazonaws.com",
      "eventName": "PutObject",
      "awsRegion": "us-west-1",
      "userAgent": "[Hadoop 3.5.0-SNAPSHOT, aws-sdk-java/2.24.6 Linux/5.10.217-183.860.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.412-b08 Java/1.8.0_412 vendor/Private_Build io/sync http/Apache cfg/retry-mode/adaptive hll/cross-region ft/s3-transfer]",
      "requestParameters": {
        "bucketName": "************",
        "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-1:************:key/************",
        "Host": "************.s3.us-west-1.amazonaws.com",
        "x-amz-server-side-encryption": "aws:kms:dsse",
        "x-amz-server-side-encryption-context": "eyJjb21wb25lbnQiOiJmcy9zMyIsInByb2plY3QiOiJoYWRvb3AiLCJqaXJhIjoiSEFET09QLTE5MTk3In0=",
        "key": "test/"
      },
(...)

(...)
      "awsRegion": "us-west-1",
      "sourceIPAddress": "204.246.162.39",
      "userAgent": "[Hadoop 3.5.0-SNAPSHOT, aws-sdk-java/2.24.6 Linux/5.10.217-183.860.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.412-b08 Java/1.8.0_412 vendor/Private_Build io/sync http/Apache cfg/retry-mode/adaptive hll/cross-region ft/s3-transfer]",
      "requestParameters": {
        "bucketName": "************",
        "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-1:************:key/************",
        "Host": "************.s3.us-west-1.amazonaws.com",
        "x-amz-server-side-encryption": "aws:kms",
        "x-amz-server-side-encryption-context": "eyJjb21wb25lbnQiOiJmcy9zMyIsInByb2plY3QiOiJoYWRvb3AiLCJqaXJhIjoiSEFET09QLTE5MTk3In0=",
        "key": "test/testEncryptionOverRename-0400"
      },
(...)

echo eyJjb21wb25lbnQiOiJmcy9zMyIsInByb2plY3QiOiJoYWRvb3AiLCJqaXJhIjoiSEFET09QLTE5MTk3In0= | base64 --decode
{"component":"fs/s3","project":"hadoop","jira":"HADOOP-19197"}%

I also executed the test with the following statement in my KMS key:

{
     "Effect": "Deny",
     "Principal": {
         "AWS": "*"
     },
     "Action": "kms:Decrypt",
     "Resource": "*",
     "Condition": {
         "StringNotEquals": {
             "kms:EncryptionContext:project": "hadoop"
         }
     }
}

When using that statement, tests without encryption context fail, and the new test will pass only if the given key-pair is set in fs.s3a.encryption.context.

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• [-] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• [-] If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	11m 50s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 9 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	15m 12s		Maven dependency ordering for branch
+1 💚	mvninstall	32m 36s		trunk passed
+1 💚	compile	17m 22s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	compile	16m 6s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	checkstyle	4m 27s		trunk passed
+1 💚	mvnsite	2m 44s		trunk passed
+1 💚	javadoc	1m 56s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 45s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	3m 54s		trunk passed
+1 💚	shadedclient	35m 57s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 33s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 26s		the patch passed
+1 💚	compile	16m 44s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javac	16m 44s		the patch passed
+1 💚	compile	15m 50s		the patch passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	javac	15m 50s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 22s		the patch passed
+1 💚	mvnsite	2m 39s		the patch passed
+1 💚	javadoc	1m 50s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 44s		the patch passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	4m 16s		the patch passed
+1 💚	shadedclient	34m 33s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	20m 50s		hadoop-common in the patch passed.
+1 💚	unit	3m 5s		hadoop-aws in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		257m 6s

Subsystem	Report/Notes
Docker	ClientAPI=1.45 ServerAPI=1.45 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/1/artifact/out/Dockerfile
GITHUB PR	#6874
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint markdownlint
uname	Linux 60270e4a493d 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 71ffcd5
Default Java	Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/1/testReport/
Max. process+thread count	3151 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[raphaelazzolini]

@virajjasani @steveloughran do you need me to provide any more information to review this PR?

[ahmarsuhail]

thank you, looks good mostly. Left a few nits in the code.

ITests need work. And you will also need to run the entire test suite mvn -Dparallel-tests -DtestsThreadCount=16 clean verify and mention the region you tested in.

[ahmarsuhail]

your ITests are not very useful as they don't assert on anything. I also don't think you need 3 new ITests that extend AbstractTestS3AEncryption.

I recommend that you add a single ITest, that writes an object with encryption context. parameterize it for SSE-KMS default key, SS-KMS customer key, DSSE-KMS. Then do a GET on the object and assert on the encryption context.

[raphaelazzolini]

I will create just a single ITest class. Regarding the assertion, I couldn't find any S3 API that allow me to get the object's encryption context, HeadObject, for example, returns only ServerSideEncryption and SSEKMSKeyId.

The way that I found to test it is add a condition to the IAM Role policy or KMS Key policy requiring the encryption context to be set, like:

  "Condition": {
    "StringEquals": {
      "kms:EncryptionContext:project": "hadoop",
      "kms:EncryptionContext:jira": "HADOOP-19197"
    }
  }

Let me know if you know a way to get the encryption context from S3 or if you have a better idea on how to test it.

[raphaelazzolini]

I executed mvn -Dparallel-tests -DtestsThreadCount=16 clean verify in us-east-1, and I updated the PR description adding this information and explained how I tested that the encryption context is set in the S3 objects.

[steveloughran]

1. Create a new EncryptionContext class in fs.s3a.impl.encryption for this stuff, S3AUtils is too big and while leaving it alone helps backports, there's no need to make things worse. This will isolate changes better.

2. the issues related to EncryptionSecretOperations and secrets without a context matter. Is it that always the context must be non-null, but that it may be empty?

3. add unit test to verify round trip of key=value pairs through the base64 encoding and the delegation token marshalling?

4. Can you look at HADOOP-18708: Support S3 Client Side Encryption(CSE) With AWS SDK V2 #6884 to see if there are opportunities to share code, risks of conflict etc. And ideally, just review it in general to see what you think as it is 'close'

[steveloughran]

extend test to verify the secrets are round tripped correctly

[raphaelazzolini]

Not sure if this is was you meant, but in the next revision I will add values to the key and encryption context instead of empty string. Then I will assert that they match the valyes in the decoded identifier.

I will do the same in testSessionTokenIdentifierRoundTrip()

[raphaelazzolini]

@steveloughran, regarding #6884, I didn't find any risks of conflict with this PR, but I think that the new code in S3AFileSystem.java that you added a comment could be moved to the new class S3AEncryption.java you suggested, and that I am adding to the next commit.

I also added a comment to that PR asking if the new properties need to be added to core-default.xml and index.md.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	12m 21s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 11 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 39s		Maven dependency ordering for branch
+1 💚	mvninstall	32m 36s		trunk passed
+1 💚	compile	17m 50s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	compile	16m 18s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	checkstyle	4m 52s		trunk passed
+1 💚	mvnsite	2m 47s		trunk passed
+1 💚	javadoc	1m 59s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 46s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	3m 58s		trunk passed
+1 💚	shadedclient	34m 33s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 35s		Maven dependency ordering for patch
-1 ❌	mvninstall	0m 28s	/patch-mvninstall-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	compile	16m 17s	/patch-compile-root-jdkUbuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.txt	root in the patch failed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.
-1 ❌	javac	16m 17s	/patch-compile-root-jdkUbuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.txt	root in the patch failed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.
-1 ❌	compile	15m 42s	/patch-compile-root-jdkPrivateBuild-1.8.0_412-8u412-ga-1~20.04.1-b08.txt	root in the patch failed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08.
-1 ❌	javac	15m 42s	/patch-compile-root-jdkPrivateBuild-1.8.0_412-8u412-ga-1~20.04.1-b08.txt	root in the patch failed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08.
-1 ❌	blanks	0m 0s	/blanks-eol.txt	The patch has 1 line(s) that end in blanks. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
+1 💚	checkstyle	4m 17s		the patch passed
-1 ❌	mvnsite	0m 52s	/patch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	javadoc	1m 52s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
-1 ❌	javadoc	0m 50s	/results-javadoc-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_412-8u412-ga-1~20.04.1-b08.txt	hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_412-8u412-ga-120.04.1-b08 with JDK Private Build-1.8.0_412-8u412-ga-120.04.1-b08 generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
-1 ❌	spotbugs	0m 50s	/patch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	shadedclient	35m 55s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	19m 42s		hadoop-common in the patch passed.
-1 ❌	unit	0m 51s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	asflicense	1m 4s	/results-asflicense.txt	The patch generated 1 ASF License warnings.
		252m 3s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/2/artifact/out/Dockerfile
GITHUB PR	#6874
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint markdownlint
uname	Linux a54a2d23b372 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / c2596c7
Default Java	Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/2/testReport/
Max. process+thread count	3152 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 30s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+0 🆗	markdownlint	0m 1s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 11 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	15m 2s		Maven dependency ordering for branch
+1 💚	mvninstall	32m 45s		trunk passed
+1 💚	compile	17m 25s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	compile	16m 4s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	checkstyle	4m 26s		trunk passed
+1 💚	mvnsite	2m 41s		trunk passed
+1 💚	javadoc	1m 57s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 43s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	4m 1s		trunk passed
+1 💚	shadedclient	35m 13s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 33s		Maven dependency ordering for patch
-1 ❌	mvninstall	0m 27s	/patch-mvninstall-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	compile	16m 4s	/patch-compile-root-jdkUbuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.txt	root in the patch failed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.
-1 ❌	javac	16m 4s	/patch-compile-root-jdkUbuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.txt	root in the patch failed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2.
-1 ❌	compile	15m 20s	/patch-compile-root-jdkPrivateBuild-1.8.0_412-8u412-ga-1~20.04.1-b08.txt	root in the patch failed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08.
-1 ❌	javac	15m 20s	/patch-compile-root-jdkPrivateBuild-1.8.0_412-8u412-ga-1~20.04.1-b08.txt	root in the patch failed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 13s		the patch passed
-1 ❌	mvnsite	0m 53s	/patch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	javadoc	1m 51s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 43s		the patch passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
-1 ❌	spotbugs	0m 50s	/patch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	shadedclient	36m 3s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	19m 44s		hadoop-common in the patch passed.
-1 ❌	unit	0m 48s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	asflicense	1m 3s		The patch does not generate ASF License warnings.
		239m 22s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/3/artifact/out/Dockerfile
GITHUB PR	#6874
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint markdownlint
uname	Linux fda291b182e1 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 4de0f65
Default Java	Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/3/testReport/
Max. process+thread count	1251 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/3/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[raphaelazzolini]

The checks are failing because they are trying to compile three classes that I removed in the second commit. I don't know how to make it not use them.

[ERROR] /home/jenkins/jenkins-home/workspace/hadoop-multibranch_PR-6874/ubuntu-focal/src/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/ITestS3AEncryptionDSSEKMSUserDefinedKeyWithEncryptionContext.java:[48,40] cannot find symbol
[ERROR]   symbol:   method getS3EncryptionContext(java.lang.String,org.apache.hadoop.conf.Configuration)
[ERROR]   location: class org.apache.hadoop.fs.s3a.S3AUtils
[ERROR] /home/jenkins/jenkins-home/workspace/hadoop-multibranch_PR-6874/ubuntu-focal/src/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/ITestS3AEncryptionSSEKMSUserDefinedKeyWithEncryptionContext.java:[43,40] cannot find symbol
[ERROR]   symbol:   method getS3EncryptionContext(java.lang.String,org.apache.hadoop.conf.Configuration)
[ERROR]   location: class org.apache.hadoop.fs.s3a.S3AUtils
[ERROR] /home/jenkins/jenkins-home/workspace/hadoop-multibranch_PR-6874/ubuntu-focal/src/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/ITestS3AEncryptionSSEKMSDefaultKeyWithEncryptionContext.java:[43,40] cannot find symbol
[ERROR]   symbol:   method getS3EncryptionContext(java.lang.String,org.apache.hadoop.conf.Configuration)
[ERROR]   location: class org.apache.hadoop.fs.s3a.S3AUtils

[steveloughran]

The checks are failing because they are trying to compile three classes that I removed in the second commit. I don't know how to make it not use them.

needs a squashed commit. let me review the changes first

[steveloughran]

done my review; happy with the changes.

can you squash the commits and do a forced push...that will get rid of the compilation problems

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	11m 56s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 8 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 51s		Maven dependency ordering for branch
+1 💚	mvninstall	32m 18s		trunk passed
+1 💚	compile	17m 36s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	compile	16m 11s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	checkstyle	4m 59s		trunk passed
+1 💚	mvnsite	2m 43s		trunk passed
+1 💚	javadoc	1m 56s		trunk passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 45s		trunk passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	3m 51s		trunk passed
+1 💚	shadedclient	34m 43s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 35s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 29s		the patch passed
+1 💚	compile	16m 51s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javac	16m 51s		the patch passed
+1 💚	compile	16m 0s		the patch passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	javac	16m 0s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 23s		the patch passed
+1 💚	mvnsite	2m 40s		the patch passed
+1 💚	javadoc	1m 53s		the patch passed with JDK Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2
+1 💚	javadoc	1m 45s		the patch passed with JDK Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
+1 💚	spotbugs	4m 15s		the patch passed
+1 💚	shadedclient	34m 45s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	19m 49s		hadoop-common in the patch passed.
+1 💚	unit	3m 1s		hadoop-aws in the patch passed.
+1 💚	asflicense	1m 6s		The patch does not generate ASF License warnings.
		255m 41s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/4/artifact/out/Dockerfile
GITHUB PR	#6874
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint markdownlint
uname	Linux 983bc8e41580 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 898b883
Default Java	Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/4/testReport/
Max. process+thread count	3152 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6874/4/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

+1.
ready to merge...expect to do a couple of stabilization patches to see what surprises surface from different people running the tests