HADOOP-16697. Tune/audit S3A authoritative mode

[steveloughran]

This adds a new s3guard command to audit a s3guard bucket's authoritative
state:

hadoop s3guard authoritative -check-config s3a://landsat-pds

Also adds more diags of what is going on, including a specific bulk operation type
"listing" which is used for listing initiated updates.

No docs for the new command,

In DDB we do auth mode better, with a new test suite for this.

• renamed dirs are marked as auth
• when we update parents as part of any Put, we don't overwrite their auth dir status (they were all being cleared)
• explicit exclusion of directories from prune

[steveloughran]

tests need to unset auth mode dirs from per bucket settings, else ITestAuthoritativePath can fail

[ERROR] testMultiAuthPath(org.apache.hadoop.fs.s3a.ITestAuthoritativePath)  Time elapsed: 4.132 s  <<< FAILURE!
java.lang.AssertionError: Listing was not supposed to include s3a://hwdev-steve-ireland-new/test/1573571607290/testMultiAuthPath-first/in-path-out-of-band. Actual: s3a://hwdev-steve-ireland-new/test/1573571607290/testMultiAuthPath-first/in-path-out-of-band
	at org.junit.Assert.fail(Assert.java:88)
	at org.junit.Assert.failEquals(Assert.java:185)
	at org.junit.Assert.assertNotEquals(Assert.java:161)
	at org.apache.hadoop.fs.s3a.S3ATestUtils.checkListingDoesNotContainPath(S3ATestUtils.java:1306)
	at org.apache.hadoop.fs.s3a.ITestAuthoritativePath.runTestInsidePath(ITestAuthoritativePath.java:213)
	at org.apache.hadoop.fs.s3a.ITestAuthoritativePath.testMultiAuthPath(ITestAuthoritativePath.java:251)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
	at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298)
	at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.lang.Thread.run(Thread.java:748)

[INFO] 

[steveloughran]

going to add a S3GuardInstrumentation interface so the internals of the S3A FS aren't so exposed in the S3Guard API. This also lets us assume that the instrumentation is never null, which simplifies code

[steveloughran]

./hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/AuthoritativeAudit.java:92:   * @throws NonAuthoritativeDirException if it is non-auth and requireAuth=true.: Line is longer than 80 characters (found 81). [LineLength]
./hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/Importer.java:118:  private long importDir(FileStatus status) throws IOException {:37: 'status' hides a field. [HiddenField]
./hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/MetastoreInstrumentation.java:21:public interface MetastoreInstrumentation {: Missing a Javadoc comment. [JavadocType]
./hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/S3Guard.java:51:import org.apache.hadoop.fs.s3a.S3AInstrumentation;:8: Unused import - org.apache.hadoop.fs.s3a.S3AInstrumentation. [UnusedImports]
./hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/s3guard/S3GuardTool.java:1145:    public int run(String[] args, PrintStream out):5: Method length is 175 lines (max allowed is 150). [MethodLength]
./hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/s3guard/ITestS3GuardAuthMode.java:59: * The main testFS is non-auth; we also create a test FS which runs in auth mode.: Line is longer than 80 characters (found 81). [LineLength]

[steveloughran]

For anyone watching, the latest PR has testRenameWithNonEmptySubDir failing as a dest path appears to exist. No idea why, yet: debug time.

Related to that -the S3A contract rename tests are parameterized on auth/non-auth; the non-auth ones skip if !s3guard. It might make sense to do that for more of the tests to better guarantee coverage of the two modes of operation.

[steveloughran]

testing s3a ireland with & without auth. doing a local db test run too for completeness

[bgaborg]

Thanks @steveloughran for this major piece of work.
It would be also great if we could split this into different chunks - adding the new auth tool, metrics, prune, rebasing the import under different jiras, but it's ok to do that if we don't forget to add every new feature and fix to the description so we will remember later.
Added some comments about the code in my first review phase.

[steveloughran]

findbugs

Unchecked/unconfirmed cast from org.apache.hadoop.fs.s3a.s3guard.BulkOperationState to org.apache.hadoop.fs.s3a.s3guard.DynamoDBMetadataStore$AncestorState in org.apache.hadoop.fs.s3a.s3guard.DynamoDBMetadataStore.markAsAuthoritative(Path, BulkOperationState) At DynamoDBMetadataStore.java:org.apache.hadoop.fs.s3a.s3guard.DynamoDBMetadataStore$AncestorState in org.apache.hadoop.fs.s3a.s3guard.DynamoDBMetadataStore.markAsAuthoritative(Path, BulkOperationState) At DynamoDBMetadataStore.java:[line 2104]
Switch statement found in org.apache.hadoop.fs.s3a.s3guard.S3GuardTool$BucketInfo.run(String[], PrintStream) where one case falls through to the next case At S3GuardTool.java:PrintStream) where one case falls through to the next case At S3GuardTool.java:[lines 1276-1283]

[steveloughran]

checkstyle revision; tested s3 ireland

-Dparallel-tests -DtestsThreadCount=8 -Ds3guard -Ddynamo -Dauth

no failures

[bgaborg]

Tests are running ok - one intermittent error with org.apache.hadoop.fs.s3a.s3guard.ITestDynamoDBMetadataStore:

java.lang.IllegalArgumentException: Table THIS_IS_THE_TEST_TABLE is not deleted.
	at com.amazonaws.services.dynamodbv2.document.Table.waitForDelete(Table.java:505)
	at org.apache.hadoop.fs.s3a.s3guard.ITestDynamoDBMetadataStore.setUp(ITestDynamoDBMetadataStore.java:169)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)```

My review contains some nits to look at, my +1 pending on that.

[steveloughran]

oops, deleted last yetus review. I'll kick off a new one.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	1m 30s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 1s	No case conflicting files found.
+0 🆗	markdownlint	0m 1s	markdownlint was not available.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s	The patch appears to include 12 new or modified test files.
		_ trunk Compile Tests _
+0 🆗	mvndep	1m 28s	Maven dependency ordering for branch
+1 💚	mvninstall	23m 41s	trunk passed
+1 💚	compile	17m 40s	trunk passed
+1 💚	checkstyle	2m 51s	trunk passed
+1 💚	mvnsite	2m 6s	trunk passed
+1 💚	shadedclient	20m 51s	branch has no errors when building and testing our client artifacts.
+1 💚	javadoc	2m 3s	trunk passed
+0 🆗	spotbugs	1m 8s	Used deprecated FindBugs config; considering switching to SpotBugs.
+1 💚	findbugs	3m 26s	trunk passed
-0 ⚠️	patch	1m 29s	Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 24s	Maven dependency ordering for patch
+1 💚	mvninstall	1m 23s	the patch passed
+1 💚	compile	18m 9s	the patch passed
+1 💚	javac	18m 9s	the patch passed
-0 ⚠️	checkstyle	2m 50s	root: The patch generated 3 new + 96 unchanged - 0 fixed = 99 total (was 96)
+1 💚	mvnsite	2m 12s	the patch passed
-1 ❌	whitespace	0m 0s	The patch has 3 line(s) that end in whitespace. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
+1 💚	xml	0m 1s	The patch has no ill-formed XML file.
+1 💚	shadedclient	14m 14s	patch has no errors when building and testing our client artifacts.
+1 💚	javadoc	1m 59s	the patch passed
+1 💚	findbugs	3m 48s	the patch passed
		_ Other Tests _
+1 💚	unit	9m 52s	hadoop-common in the patch passed.
+1 💚	unit	1m 31s	hadoop-aws in the patch passed.
+1 💚	asflicense	0m 48s	The patch does not generate ASF License warnings.
		132m 43s

Subsystem	Report/Notes
Docker	Client=19.03.5 Server=19.03.5 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1707/18/artifact/out/Dockerfile
GITHUB PR	#1707
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle xml markdownlint
uname	Linux 46978472041a 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/hadoop.sh
git revision	trunk / 768ee22
Default Java	1.8.0_232
checkstyle	https://builds.apache.org/job/hadoop-multibranch/job/PR-1707/18/artifact/out/diff-checkstyle-root.txt
whitespace	https://builds.apache.org/job/hadoop-multibranch/job/PR-1707/18/artifact/out/whitespace-eol.txt
Test Results	https://builds.apache.org/job/hadoop-multibranch/job/PR-1707/18/testReport/
Max. process+thread count	1346 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-common hadoop-tools/hadoop-aws U: .
Console output	https://builds.apache.org/job/hadoop-multibranch/job/PR-1707/18/console
versions	git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1
Powered by	Apache Yetus 0.11.1 https://yetus.apache.org

This message was automatically generated.

[bgaborg]

Tests are passing (only one intermittent failure of ITestDynamoDBMetadataStore.setUp is present)
My comments/change requests are all resolved.
+1; Thanks @steveloughran!

[steveloughran]

Thank you for your excellent diligence going through this patch!

[steveloughran]

merged after a final retest