restrict encryption client imports

ahmarsuhail · ahmarsuhail · commit afc077d68976 · 2023-11-23T15:40:09.000Z
diff --git a/hadoop-tools/hadoop-aws/pom.xml b/hadoop-tools/hadoop-aws/pom.xml
@@ -464,6 +464,16 @@
                     <bannedImport>org.apache.hadoop.mapred.**</bannedImport>
                   </bannedImports>
                 </restrictImports>
+                <restrictImports>
+                  <includeTestCode>false</includeTestCode>
+                  <reason>Restrict encryption client imports to encryption client factory</reason>
+                  <exclusions>
+                    <exclusion>org.apache.hadoop.fs.s3a.EncryptionS3ClientFactory</exclusion>
+                  </exclusions>
+                  <bannedImports>
+                    <bannedImport>software.amazon.encryption.s3.**</bannedImport>
+                  </bannedImports>
+                </restrictImports>
               </rules>
             </configuration>
           </execution>
diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java
@@ -24,7 +24,6 @@
 import software.amazon.awssdk.core.retry.RetryUtils;
 import software.amazon.awssdk.services.s3.model.S3Exception;
 import software.amazon.awssdk.services.s3.model.S3Object;
-import software.amazon.encryption.s3.S3EncryptionClientException;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.classification.InterfaceAudience;
@@ -76,6 +75,7 @@
 import static org.apache.hadoop.fs.s3a.Constants.*;
 import static org.apache.hadoop.fs.s3a.audit.AuditIntegration.maybeTranslateAuditException;
 import static org.apache.hadoop.fs.s3a.impl.ErrorTranslation.isUnknownBucket;
+import static org.apache.hadoop.fs.s3a.impl.ErrorTranslation.maybeExtractSdkException;
 import static org.apache.hadoop.fs.s3a.impl.InstantiationIOException.instantiationException;
 import static org.apache.hadoop.fs.s3a.impl.InstantiationIOException.isAbstract;
 import static org.apache.hadoop.fs.s3a.impl.InstantiationIOException.isNotInstanceOf;
@@ -173,13 +173,7 @@ public static IOException translateException(@Nullable String operation,
         StringUtils.isNotEmpty(path)? (" on " + path) : "",
         exception);
 
-    // Exceptions from encryption client are wrapped in S3EncryptionClientException, so unwrap.
-    if (exception instanceof S3EncryptionClientException) {
-      exception = (SdkException) exception.getCause();
-      if (exception != null && exception.getCause() instanceof AwsServiceException) {
-        exception = (SdkException) exception.getCause();
-      }
-    }
+    exception = maybeExtractSdkException(exception);
 
     if (!(exception instanceof AwsServiceException)) {
       // exceptions raised client-side: connectivity, auth, network problems...
diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/AWSClientConfig.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/AWSClientConfig.java
@@ -32,12 +32,12 @@
 import software.amazon.awssdk.http.apache.ApacheHttpClient;
 import software.amazon.awssdk.http.apache.ProxyConfiguration;
 import software.amazon.awssdk.http.nio.netty.NettyNioAsyncHttpClient;
-import software.amazon.awssdk.thirdparty.org.apache.http.client.utils.URIBuilder;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.S3AUtils;
 import org.apache.hadoop.fs.s3a.auth.SignerFactory;
 import org.apache.hadoop.util.VersionInfo;
+import org.apache.http.client.utils.URIBuilder;
 
 import static org.apache.hadoop.fs.s3a.Constants.AWS_SERVICE_IDENTIFIER_S3;
 import static org.apache.hadoop.fs.s3a.Constants.AWS_SERVICE_IDENTIFIER_STS;
diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/ErrorTranslation.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/ErrorTranslation.java
@@ -22,6 +22,7 @@
 import java.lang.reflect.Constructor;
 
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.core.exception.SdkException;
 
 import org.apache.hadoop.fs.PathIOException;
 
@@ -48,6 +49,9 @@ public final class ErrorTranslation {
   private ErrorTranslation() {
   }
 
+  static final String ENCRYPTION_CLIENT_EXCEPTION =
+      "software.amazon.encryption.s3.S3EncryptionClientException";
+
   /**
    * Does this exception indicate that the AWS Bucket was unknown.
    * @param e exception.
@@ -106,6 +110,19 @@ public static IOException maybeExtractIOException(String path, Throwable thrown)
 
   }
 
+  public static SdkException maybeExtractSdkException(SdkException exception) {
+    SdkException extractedException = exception;
+    if (exception.toString().contains(ENCRYPTION_CLIENT_EXCEPTION)) {
+      extractedException = (SdkException) exception.getCause();
+      if (extractedException != null
+          && extractedException.getCause() instanceof AwsServiceException) {
+        extractedException = (SdkException) extractedException.getCause();
+      }
+    }
+
+    return extractedException;
+  }
+
   /**
    * Given an outer and an inner exception, create a new IOE
    * of the inner type, with the outer exception as the cause.
