Elasticsearch: s3 repository canned_acl is not working for some files during snapshot creation

Created on 25 Jul 2018  路  8Comments  路  Source: elastic/elasticsearch

Elasticsearch version (bin/elasticsearch --version): 6.3.2

Plugins installed: ["repository-s3"]

JVM version (java -version): javac 1.8.0_141

OS version (uname -a if on a Unix-like system): 4.14.51-60.38.amzn1.x86_64

Description of the problem including expected versus actual behavior:

We have an ES cluster in AWS. When we want to take a snapshot we are doing into S3 bucket which is located in another account.
when we creating an S3 repository in elastic search we enabling following option:

"canned_acl": "bucket-owner-full-control"

Not all files from snapshot have ACL for full control for bucket owner.
Files which DO NOT HAVE proper permissions.
1 . All files which have index-0 in their's name

  1. index.latest
  2. incompatible-snapshots.

All other files have correct ACL both for snapshot creator account and bucket owner account.

Steps to reproduce:

  1. Setup ES cluster in AWS account 1.
  2. Setup S3 bucket in AWS account 2.
  3. Grant permissions to ES to save snapshots to S3 bucket in AWS account 2.
  4. Setup a repository in ES cluster with option "canned_acl": "bucket-owner-full-control"
  5. Create a snapshot.
  6. Check file permissions for files with names index-0, index.latest and incompatible-snapshots.
    They will not have bucket owner FULL ADMIN permissions
    aws s3api get-object-acl --bucket BUCKET_NAME --key PATH_TO_S3_OBJECT

Provide logs (if relevant):

:DistributeSnapshoRestore
Source
picture point911
👍3

All 8 comments

Pinging @elastic/es-distributed

elasticmachine picture elasticmachine on 26 Jul 2018

@tlrx welcome back. Do you mind taking a look?

bleskes picture bleskes on 28 Jul 2018

+1

I am having the exact same issue.

Version 6.3.0

bnm22 picture bnm22 on 23 Aug 2018

+1

bnumber1 picture bnumber1 on 23 Aug 2018
👍1

Do we have any workaround ideas for this issue?

bnm22 picture bnm22 on 24 Aug 2018
👍1

Any chance to look into this? @bleskes @tlrx

point911 picture point911 on 4 Sep 2018
👍1

Same issue. ES:
"version" : {
"number" : "6.2.3",
"build_hash" : "0fd46e9",
"build_date" : "2018-07-16T10:43:54.041989Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
...
}

maczes picture maczes on 13 Sep 2018

This isn't an issue anymore. in older versions prior to https://github.com/elastic/elasticsearch/pull/31100 we were not setting the canned acl when doing a move so the blobs that were uploaded via atomic writes (index-N and the like as mentioned in the issue description) wouldn't get the canned ACL.
-> closing

original-brownbear picture original-brownbear on 19 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ttaranov picture ttaranov  路  3Comments
jpountz picture jpountz  路  3Comments
abtpst picture abtpst  路  3Comments
dadoonet picture dadoonet  路  3Comments
malpani picture malpani  路  3Comments