Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3 repository canned_acl is not working for some files during snapshot creation #32365

Closed
point911 opened this issue Jul 25, 2018 · 8 comments
Closed

s3 repository canned_acl is not working for some files during snapshot creation #32365

point911 opened this issue Jul 25, 2018 · 8 comments
Assignees
@tlrx
Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs

Comments

@point911
Copy link

Elasticsearch version (bin/elasticsearch --version): 6.3.2

Plugins installed: ["repository-s3"]

JVM version (java -version): javac 1.8.0_141

OS version (uname -a if on a Unix-like system): 4.14.51-60.38.amzn1.x86_64

Description of the problem including expected versus actual behavior:

We have an ES cluster in AWS. When we want to take a snapshot we are doing into S3 bucket which is located in another account.
when we creating an S3 repository in elastic search we enabling following option:

"canned_acl": "bucket-owner-full-control"

Not all files from snapshot have ACL for full control for bucket owner.
Files which DO NOT HAVE proper permissions.
1 . All files which have index-0 in their's name
2. index.latest
3. incompatible-snapshots.

All other files have correct ACL both for snapshot creator account and bucket owner account.

Steps to reproduce:

  1. Setup ES cluster in AWS account 1.
  2. Setup S3 bucket in AWS account 2.
  3. Grant permissions to ES to save snapshots to S3 bucket in AWS account 2.
  4. Setup a repository in ES cluster with option "canned_acl": "bucket-owner-full-control"
  5. Create a snapshot.
  6. Check file permissions for files with names index-0, index.latest and incompatible-snapshots.
    They will not have bucket owner FULL ADMIN permissions
    aws s3api get-object-acl --bucket BUCKET_NAME --key PATH_TO_S3_OBJECT

Provide logs (if relevant):
@colings86 colings86 added the :Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs label Jul 26, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-distributed

@bleskes
Copy link
Contributor

bleskes commented Jul 28, 2018

@tlrx welcome back. Do you mind taking a look?

@bnm22
Copy link

bnm22 commented Aug 23, 2018

+1

I am having the exact same issue.

Version 6.3.0

@bnumber1
Copy link

+1

@bnm22
Copy link

bnm22 commented Aug 24, 2018

Do we have any workaround ideas for this issue?

@point911
Copy link
Author

point911 commented Sep 4, 2018

Any chance to look into this? @bleskes @tlrx

@maczes
Copy link

maczes commented Sep 13, 2018

Same issue. ES:
"version" : {
"number" : "6.2.3",
"build_hash" : "0fd46e9",
"build_date" : "2018-07-16T10:43:54.041989Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
...
}

@original-brownbear
Copy link
Member

This isn't an issue anymore. in older versions prior to #31100 we were not setting the canned acl when doing a move so the blobs that were uploaded via atomic writes (index-N and the like as mentioned in the issue description) wouldn't get the canned ACL.
-> closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tlrx tlrx

Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@colings86 @tlrx @bleskes @point911 @maczes @original-brownbear @elasticmachine @bnm22 @bnumber1