Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14114

S3A can no longer handle unencoded + in URIs

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8.0
    • Fix Version/s: 2.9.0, 3.0.0-alpha4, 2.8.2
    • Component/s: fs/s3
    • Labels:
      None

      Description

      Amazon secret access keys can include alphanumeric characters, but also / and + (I wish there was an official source that was really specific on what they can contain, but I'll have to rely on a few blog posts and my own experience).

      Keys containing slashes used to be impossible to embed in the URL (e.g. s3a://access_key:secret_key@bucket/) but it is now possible to do it via URL encoding. Pluses used to work, but that is now only possible via URL encoding.

      In the case of pluses, they don't appear to cause any other problems for parsing. So IMO the best all-around solution here is for people to URL-encode these keys always, but so that keys that used to work just fine can continue to work fine, all we need to do is detect that, log a warning, and we can re-encode it for the user.

        Issue Links

          Activity

          Hide
          mackrorysd Sean Mackrory added a comment -

          Attaching a patch that does what I describe, and adds a test to check that + (both encoded and unencoded) is parsed okay in access keys. Have tested against us-west-1, eu-central-1.

          Show
          mackrorysd Sean Mackrory added a comment - Attaching a patch that does what I describe, and adds a test to check that + (both encoded and unencoded) is parsed okay in access keys. Have tested against us-west-1, eu-central-1.
          Hide
          hadoopqa Hadoop QA added a comment -
          +1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 14s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
          +1 mvninstall 12m 41s trunk passed
          +1 compile 0m 17s trunk passed
          +1 checkstyle 0m 13s trunk passed
          +1 mvnsite 0m 20s trunk passed
          +1 mvneclipse 0m 13s trunk passed
          +1 findbugs 0m 26s trunk passed
          +1 javadoc 0m 14s trunk passed
          +1 mvninstall 0m 16s the patch passed
          +1 compile 0m 15s the patch passed
          +1 javac 0m 15s the patch passed
          +1 checkstyle 0m 10s the patch passed
          +1 mvnsite 0m 17s the patch passed
          +1 mvneclipse 0m 10s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 30s the patch passed
          +1 javadoc 0m 11s the patch passed
          +1 unit 0m 19s hadoop-aws in the patch passed.
          +1 asflicense 0m 16s The patch does not generate ASF License warnings.
          18m 26s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-14114
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12854276/HADOOP-14114.001.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 6092b910f2c4 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / a207aa9
          Default Java 1.8.0_121
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11701/testReport/
          modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11701/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall Vote Subsystem Runtime Comment 0 reexec 0m 14s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. +1 mvninstall 12m 41s trunk passed +1 compile 0m 17s trunk passed +1 checkstyle 0m 13s trunk passed +1 mvnsite 0m 20s trunk passed +1 mvneclipse 0m 13s trunk passed +1 findbugs 0m 26s trunk passed +1 javadoc 0m 14s trunk passed +1 mvninstall 0m 16s the patch passed +1 compile 0m 15s the patch passed +1 javac 0m 15s the patch passed +1 checkstyle 0m 10s the patch passed +1 mvnsite 0m 17s the patch passed +1 mvneclipse 0m 10s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 30s the patch passed +1 javadoc 0m 11s the patch passed +1 unit 0m 19s hadoop-aws in the patch passed. +1 asflicense 0m 16s The patch does not generate ASF License warnings. 18m 26s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14114 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12854276/HADOOP-14114.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 6092b910f2c4 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / a207aa9 Default Java 1.8.0_121 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11701/testReport/ modules C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11701/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          think the pattern is encoded in git secrets: https://github.com/awslabs/git-secrets/blob/master/git-secrets

          Show
          stevel@apache.org Steve Loughran added a comment - think the pattern is encoded in git secrets: https://github.com/awslabs/git-secrets/blob/master/git-secrets
          Hide
          mackrorysd Sean Mackrory added a comment -

          By the way, this is what you get if you hit this issue with a + in the secret access key:

          WARN s3native.S3xLoginHelper: The Filesystem URI contains login details. This is insecure and may be unsupported in future.
          ls: : getFileStatus on : com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: ...), S3 Extended Request ID: ...
          
          Show
          mackrorysd Sean Mackrory added a comment - By the way, this is what you get if you hit this issue with a + in the secret access key: WARN s3native.S3xLoginHelper: The Filesystem URI contains login details. This is insecure and may be unsupported in future . ls: : getFileStatus on : com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: ...), S3 Extended Request ID: ...
          Hide
          mackrorysd Sean Mackrory added a comment -

          Also, to feel a bit more sure there aren't other special characters we should handle, I generated >100 secret access keys and the output was entirely alphanumeric, forward slashes, and pluses.

          Show
          mackrorysd Sean Mackrory added a comment - Also, to feel a bit more sure there aren't other special characters we should handle, I generated >100 secret access keys and the output was entirely alphanumeric, forward slashes, and pluses.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          OK +1

          impressed by your checking there.

          out of curiousity, did you test against a v4 endpoint to see what the error message was? I Wonder if it is different

          Show
          stevel@apache.org Steve Loughran added a comment - OK +1 impressed by your checking there. out of curiousity, did you test against a v4 endpoint to see what the error message was? I Wonder if it is different
          Hide
          stevel@apache.org Steve Loughran added a comment -

          1, committed to 2.8.1. For the curious, I've signed that commit; a git log --show-signature ff87ca84418a710c6 will show whether or not you trust me

          Show
          stevel@apache.org Steve Loughran added a comment - 1, committed to 2.8.1 . For the curious, I've signed that commit; a git log --show-signature ff87ca84418a710c6 will show whether or not you trust me
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11298 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11298/)
          HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed (stevel: rev 9c22a91662af24569191ce45289ef8266e8755cc)

          • (edit) hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3native/TestS3xLoginHelper.java
          • (edit) hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3native/S3xLoginHelper.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11298 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11298/ ) HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed (stevel: rev 9c22a91662af24569191ce45289ef8266e8755cc) (edit) hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3native/TestS3xLoginHelper.java (edit) hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3native/S3xLoginHelper.java
          Hide
          mackrorysd Sean Mackrory added a comment -

          Thanks Steve Loughran. The error message is identical from a V4-only endpoint.

          Show
          mackrorysd Sean Mackrory added a comment - Thanks Steve Loughran . The error message is identical from a V4-only endpoint.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          thx. Note that with per bucket config, there's no justification for secrets in URIs no more. You can do a distcp using -D options to declare (ideally session) credentials for the URL you are working with, same for anything else

          Show
          stevel@apache.org Steve Loughran added a comment - thx. Note that with per bucket config, there's no justification for secrets in URIs no more. You can do a distcp using -D options to declare (ideally session) credentials for the URL you are working with, same for anything else
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          2.8.1 became a security release. Moving fix-version to 2.8.2 after the fact.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - 2.8.1 became a security release. Moving fix-version to 2.8.2 after the fact.

            People

            • Assignee:
              mackrorysd Sean Mackrory
              Reporter:
              mackrorysd Sean Mackrory
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development