Do not override named S3 client credentials #33793
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In cases when mixed secure S3 client credentials and insecure S3 client credentials were used (that is, those defined on the repository), we were overriding the credentials from the repository using insecure settings to all the repositories. This commit fixes this by not mixing up repositories that use insecure settings with those that use secure settings.
jasontedor
added
>bug
blocker
review
:Distributed/Snapshot/Restore
|
Pinging @elastic/es-distributed |
tlrx
approved these changes
Sep 19, 2018
| static S3ClientSettings getClientSettings(final RepositoryMetaData metadata, final AWSCredentials credentials) { | ||
| final Settings.Builder builder = Settings.builder(); | ||
| for (final String key : metadata.settings().keySet()) { | ||
| builder.put(PREFIX + "dummy" + "." + key, metadata.settings().get(key)); |
There was a problem hiding this comment.
Nit: can we use something different than dummy? Like "deprecated" or "provided_credentials"
tlrx
reviewed
Sep 19, 2018
| @@ -200,21 +201,40 @@ | |||
|
|
|||
| this.storageClass = STORAGE_CLASS_SETTING.get(metadata.settings()); | |||
| this.cannedACL = CANNED_ACL_SETTING.get(metadata.settings()); | |||
|
|
|||
| if (CLIENT_NAME.exists(metadata.settings()) && S3ClientSettings.checkDeprecatedCredentials(metadata.settings())) { | |||
| logger.warn("ignoring use of named client [" + metadata.name() + "] as insecure credentials were specified"); | |||
There was a problem hiding this comment.
Thanks for adding this warning. Since metadata.name() refers to the repository name, we could maybe change this to: "ignoring use of named client for repository ["
* master: (46 commits) Fixing assertions in integration test (elastic#33833) [CCR] Rename idle_shard_retry_delay to poll_timout in auto follow patterns (elastic#33821) HLRC: Delete ML calendar (elastic#33775) Move DocsStats into Engine (elastic#33835) [Docs] Clarify accessing Date methods in painless (elastic#33560) add elasticsearch-shard tool (elastic#32281) Cut over to unwrap segment reader (elastic#33843) SQL: Fix issue with options for QUERY() and MATCH(). (elastic#33828) Emphasize that filesystem-level backups don't work (elastic#33102) Use the global doc id to generate a random score (elastic#33599) Add minimal sanity checks to custom/scripted similarities. (elastic#33564) Profiler: Don’t profile NEXTDOC for ConstantScoreQuery. (elastic#33196) [CCR] Change FollowIndexAction.Request class to be more user friendly (elastic#33810) SQL: day and month name functions tests locale providers enforcement (elastic#33653) TESTS: Set SO_LINGER = 0 for MockNioTransport (elastic#32560) Test: Relax jarhell gradle test (elastic#33787) [CCR] Fail with a descriptive error if leader index does not exist (elastic#33797) Add ES version 6.4.2 (elastic#33831) MINOR: Remove Some Dead Code in Scripting (elastic#33800) Ensure realtime `_get` and `_termvectors` don't run on the network thread (elastic#33814) ...
jasontedor
added a commit
that referenced
this pull request
Sep 19, 2018
In cases when mixed secure S3 client credentials and insecure S3 client credentials were used (that is, those defined on the repository), we were overriding the credentials from the repository using insecure settings to all the repositories. This commit fixes this by not mixing up repositories that use insecure settings with those that use secure settings.
jasontedor
added a commit
that referenced
this pull request
Sep 19, 2018
In cases when mixed secure S3 client credentials and insecure S3 client credentials were used (that is, those defined on the repository), we were overriding the credentials from the repository using insecure settings to all the repositories. This commit fixes this by not mixing up repositories that use insecure settings with those that use secure settings.
|
Thanks for reviewing @albertzaharovits and @tlrx. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In cases when mixed secure S3 client credentials and insecure S3 client credentials were used (that is, those defined on the repository), we were overriding the credentials from the repository using insecure settings to all the repositories. This commit fixes this by not mixing up repositories that use insecure settings with those that use secure settings.
Closes #33769