HADOOP-19384. S3A: Add support for ProfileCredentialsProvider

[VenkatSNarayanan]

This commit adds a wrapper for the AWS
ProfileCredentialsProvider.

How was this patch tested?

The patch was tested by running the hadoop-aws integration tests with fs.s3a.aws.credentials.provider and fs.s3a.assumed.role.credentials.provider configured to only include org.apache.hadoop.fs.s3a.ProfileAWSCredentialsProvider. Buckets/endpoints used were in the us-east-1 region. 2 test failures that seem unrelated to this change have details in the JIRA.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 0s		Docker mode activated.
-1 ❌	patch	0m 21s		#7284 does not apply to trunk. Rebase required? Wrong Branch? See https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute for help.

Subsystem	Report/Notes
GITHUB PR	#7284
JIRA Issue	HADOOP-19384
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7284/1/console
versions	git=2.34.1
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 50s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	6m 12s		Maven dependency ordering for branch
+1 💚	mvninstall	36m 28s		trunk passed
+1 💚	compile	19m 47s		trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	compile	18m 39s		trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	checkstyle	5m 23s		trunk passed
+1 💚	mvnsite	2m 45s		trunk passed
+1 💚	javadoc	2m 9s		trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	1m 42s		trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	spotbugs	4m 3s		trunk passed
+1 💚	shadedclient	40m 58s		branch has no errors when building and testing our client artifacts.
-0 ⚠️	patch	41m 26s		Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 34s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 32s		the patch passed
+1 💚	compile	18m 42s		the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javac	18m 42s		the patch passed
+1 💚	compile	17m 53s		the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	javac	17m 53s		the patch passed
+1 💚	blanks	0m 1s		The patch has no blanks issues.
-0 ⚠️	checkstyle	4m 42s	/results-checkstyle-root.txt	root: The patch generated 26 new + 0 unchanged - 0 fixed = 26 total (was 0)
+1 💚	mvnsite	2m 36s		the patch passed
+1 💚	javadoc	2m 3s		the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	1m 39s		the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚	spotbugs	4m 15s		the patch passed
+1 💚	shadedclient	41m 2s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	20m 34s		hadoop-common in the patch passed.
-1 ❌	unit	2m 56s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch passed.
-1 ❌	asflicense	1m 4s	/results-asflicense.txt	The patch generated 1 ASF License warnings.
		262m 26s

Reason	Tests
Failed junit tests	hadoop.fs.s3a.TestS3AInputStreamRetry
	hadoop.fs.s3a.TestS3AUnbuffer
	hadoop.fs.s3a.TestS3AGetFileStatus
	hadoop.fs.s3a.TestS3ADeleteOnExit
	hadoop.fs.s3a.TestS3ABlockOutputStream
	hadoop.fs.s3a.TestS3AEndpointParsing
	hadoop.fs.s3a.TestListing

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7284/2/artifact/out/Dockerfile
GITHUB PR	#7284
JIRA Issue	HADOOP-19384
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux 8b219dd1a366 5.15.0-124-generic #134-Ubuntu SMP Fri Sep 27 20:20:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 303f92c
Default Java	Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7284/2/testReport/
Max. process+thread count	3139 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7284/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

This needs to be optional.

Adding something new to the chain has already caused problems and failures in the unit tests.

Because a lot of those developers have the AWS SDK installed, our test runs can accidentally pick this up when we do not intend to -hiding regression which then only surface in production. We have a hit exactly this problem in the past -and it is exactly the reason that the Yetus test runs have so many failing unit tests while you do not.

Instead then, please add it as a new class, apply the suggestions, and then document how to use it in the S3A documentation file hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/authentication.md

And as requested provide ways through the configuration to actually provide the path to the the profile file and which profile to use.

You can just ask for the software.amazonaws provider today; the S3A connector can authenticate with any in the SDK itself, unless it needs a special configuration. Picking up paths and profiles from the Configuration object is exactly the kind of configuration which justifies the effort.

On the topic of configuration

1. nI would suggest the following two names

fs.s3a.auth.profile.file
fs.s3a.auth.profile.name

2. If these are set then they MUST override the env vars of AWS_SHARED_CREDENTIALS_FILE, and AWS_PROFILE respectively.

Test wise: you should be able to write a unit test to attempt to load a dummy file the test setup writes to a temp dir, with the default profile and another one, returning the credentials you expect in both cases.

Finally, regarding the Itest failures, one of them looks like an intermittent test timing one. Proxy one is new. Does your test setup actually include a proxy? It would be good if you could debug this.

[steveloughran]

make this optional but document it

[steveloughran]

evolving

[steveloughran]

nit: use same import ordering as other classes

[steveloughran]

profile name should be configurable

[steveloughran]

make final

[steveloughran]

this path should be configurable

[steveloughran]

not a standard one...will need to be explicitly configured

[steveloughran]

extends AbstractAWSCredentialProvider

and move into package auth