#31608 Add S3 Setting to Force Path Type Access #34721
Conversation
original-brownbear
added
>enhancement
:Distributed Coordination/Snapshot/Restore
|
Pinging @elastic/es-distributed |
|
Why does this need to be configurable? Can we just always use path style access, since all bucket names are supported through it? |
|
@rjernst but I think for path style access to work you have to supply the region in AWS S3, so it won't work if you don't manually supply |
|
@rjernst that said ... if |
|
I believe you can hit any region specific endpoint to find the region a bucket exists in. This is essentially how using dns based buckets with s3.amazonaws.com works. I think we could (if endpoint is not specified) do an initial request with a fixed endpoint (eg us-east-1's endpoint), just to find where the bucket exists, then create the "real" client with the calculated endpoint? My concern is creeping back to several client settings which must be carefully set to be in sync with each other, like we used to have with s3 repository. IMO we should strive to keep the settings minimal. |
Yea we could actually :) I'm just worried there may be other risks in not allowing dns style access ever that we don't see (which is a weak argument admittedly but it seems like this move could trigger similar proxy/firewall issues to those that started the issue in the first place?).
Generally I would agree here. In this case it's a little tricky. We'd be disabling the ability to use dns style access, which might have unforeseen consequences in similar situations to those that started this issue in the first place? |
|
All settings are costly, because we need to test their use. This is the general problem with s3 repository. Unless we test the different ways these settings can be used, we can't confidently say they work. Keeping the settings minimal means we minimize our s3 test matrix (which is still lacking with the current exposed settings, this PR only adds to the untested cases...). |
|
@rjernst fair point with the tests (I could add another run to execute against |
|
I don't see the risk (other than changing what has been "working" thus far). I see it as standardizing on the newer style requests for s3, which supports any bucket name. |
|
The risk would (imo) be that we are changing the endpoint used by our requests to S3 for everyone. I could see this causing trouble with some restrictive firewalls/proxies (though you could argue that they're in the same situation for newly created buckets which often respond with a ... I guess aside from the below point you won me over (given the Also, one additional risk/annoyance this introduces in tests is that instead of now having to run a loop over |
I would argue testing the dns pattern is very difficult to test with our minio based integration tests, while path based access is relatively easy. |
|
@rjernst but we would have to test the functionality that figures out the correct region? (other than that I agree) |
|
Yes. But the get bucket location is a simple api that we can mimic, and we only need a basic integration test there (that we call the get bucket location api at all). The nuances of mapping region to endpoint can be done by unit tests (which is mostly straightforward for all new endpoints, only legacy endpoints are special iirc). |
|
@original-brownbear Can you summarize what is the proposed solution? Thanks |
|
@tlrx sure, it's just 2 steps :)
Should work fine right? |
|
The SDK already takes cares to find the right region to use when no endpoint is defined and path style access left to the default - I'm wondering if it works similarly when path style access is enabled. Do you know? That would be great, because it means that we'll get it for free and it would play nicely with how S3 clients are created with the lazy blobstore creation as well as when secure settings are reloaded. |
|
@tlrx Last thing I remember was that you had to set the region with path style access enabled. But I will try this and report back, maybe it works out of the box and I'm wrong. |
|
@tlrx huh turns out this does actually work (tested with So maybe we can just enforce path style access without any additional code? |
|
Great! +1 to just use path style access. |
|
I ran some tests and it confirms what I suspected, ie the AWS SDK has some built-in mechanism to resolve the region to use for a given bucket whatever the path style access configuration is. The SDK hits the With path style disabled and no endpoint: With path style disabled and endpoint (http://s3.eu-west-1.amazonaws.com): With path style enabled and no endpoint: With path style enabled and endpoint (http://s3.eu-west-1.amazonaws.com): So I think there's no need to execute an initial GET bucket request as suggested and we can use the SDK default behavior. |
|
I didn't see your update, but nice to see that we found the same results :) Note that enabling path style access is a breaking change and should be documented. |
* Use path style access pattern to fix elastic#31608 * closes elastic#31608
original-brownbear
force-pushed
the
31608
branch
from
69b9f77 to
fc401ab
Compare
|
@tlrx added a line that mentions the exclusive use of path style access now. Not sure where to put the breaking change documentation (or if it's even my job to put it anywhere :))? |
|
@elasticmachine test this please |
docs/plugins/repository-s3.asciidoc
Outdated
| @@ -304,6 +304,8 @@ You may further restrict the permissions by specifying a prefix within the bucke | |||
| The bucket needs to exist to register a repository for snapshots. If you did not create the bucket then the repository | |||
| registration will fail. | |||
|
|
|||
| Note: All bucket operations are using the path style access pattern. The DNS style access pattern is never used. | |||
There was a problem hiding this comment.
I think the AWS terminology is "virtual hosted style"
There was a problem hiding this comment.
Right changing :)
| @@ -112,7 +112,8 @@ AmazonS3 buildClient(final S3ClientSettings clientSettings) { | |||
| // | |||
| // We do this because directly constructing the client is deprecated (was already deprecated in 1.1.223 too) | |||
| // so this change removes that usage of a deprecated API. | |||
| builder.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, null)); | |||
| builder.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, null)) | |||
| .withPathStyleAccessEnabled(true); | |||
There was a problem hiding this comment.
Nit: I think the SDK provides a enablePathStyleAccess() method?
There was a problem hiding this comment.
Right, that looks nicer :)
I'd put a mention in the migration doc. I also don't think this should go to 6.6.0 but only in 7.0 |
|
@tlrx thanks for taking a look! All points addressed I think :) |
|
@tlrx ping :) can you take another look here? |
|
+1 This is exactly the issue we're facing with an internal s3 like storage and was going to PR the same approach. @tlrx Please merge. |
|
@tlrx ping :) |
|
@original-brownbear Sorry, I missed the notification. I tend to think that it could go in 7.0 only and I don't like to multiply system properties (I think we only have es.allow_insecure_settings so far) that will need specific tests too.. |
|
@tlrx np I'm on vacation anyway :D I'm fine with only fixing |
docs/plugins/repository-s3.asciidoc
Outdated
| @@ -304,6 +304,8 @@ You may further restrict the permissions by specifying a prefix within the bucke | |||
| The bucket needs to exist to register a repository for snapshots. If you did not create the bucket then the repository | |||
| registration will fail. | |||
|
|
|||
| Note: All bucket operations are using the path style access pattern. The virtual hosted style access pattern is never used. | |||
There was a problem hiding this comment.
Maybe Note: starting [7.0], all bucket...?
| ==== S3 Repository Plugin | ||
|
|
||
| * The plugin now uses the path style access pattern for all requests. | ||
| In previous versions it was automatically determining whether to use virtual hosted style or path style |
There was a problem hiding this comment.
Maybe In previous versions the decision to use virtual hosted style or [..] was automatically determined by the AWS Java SDK
| @@ -112,7 +112,7 @@ AmazonS3 buildClient(final S3ClientSettings clientSettings) { | |||
| // | |||
| // We do this because directly constructing the client is deprecated (was already deprecated in 1.1.223 too) | |||
| // so this change removes that usage of a deprecated API. | |||
| builder.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, null)); | |||
| builder.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpoint, null)).enablePathStyleAccess(); | |||
There was a problem hiding this comment.
I think it deserves its own line :)
|
Jenkins test this |
|
@tlrx thanks for the review! |
localhostwhich without the setting leads to the S3 client going for DNS type accesstruein ITs to force path style access again => Same functionality gets tested along with the setting taking effect