Default S3 endpoint scheme to HTTPS when not specified #127489
Conversation
nicktindall
added
>bug
:Distributed Coordination/Snapshot/Restore
elasticsearchmachine
added
Team:Distributed Coordination
|
Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination) |
|
Hi @nicktindall, I've created a changelog YAML for you. |
|
The change makes sense to me. Just a minor comment on the label: Since #126843 is not released, this PR should be a |
| if ((endpoint.startsWith("http://") || endpoint.startsWith("https://")) == false) { | ||
| // Default protocol to https if not specified | ||
| // See https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/client-configuration.html#client-config-other-diffs | ||
| endpoint = "https://" + endpoint; |
There was a problem hiding this comment.
Another minor comment: It might be useful to have an INFO log here? If the cluster was relying on an explicit http protocol setting and default to https here would not work for them. In that case, it feels useful to see a log message to indicate this have happened? Since #126843 is a breaking change, I am not entirely sure what the expectation is for end-users. It would be a moot point if they are expected to fix the protocol and endpoint settings before upgrade.
There was a problem hiding this comment.
That's a good point, I'll add one
There was a problem hiding this comment.
Added in d3836c4
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Show resolved
Hide resolved
| // Default protocol to https if not specified | ||
| // See https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/client-configuration.html#client-config-other-diffs | ||
| endpoint = "https://" + endpoint; | ||
| LOGGER.info("Defaulting to https for endpoint with no scheme [{}]", clientSettings.endpoint); |
There was a problem hiding this comment.
For other backward compatibility issues that we handle gracefully, we added a WARN log message. Since AWS requires a scheme on the endpoint, I'm leaning towards a WARN here, too.
IIUC, this is a stop-gap for CP-10914 to fix the issue? If the downstream teams intend to change this, then their warning message would eventually be fixed, and that sounds reasonable to me. I think I ideally we wouldn't want to support this forever?
There was a problem hiding this comment.
Yes, perhaps we need to update documentation for the setting also to indicate that scheme is required.
There was a problem hiding this comment.
Fixed in 0365fda
There was a problem hiding this comment.
The documentation still has an example without a scheme in it. It also still talks about the protocol property. I don't know where that documentation lives now, but it's not in this repo. We should create a ticket to update it to reflect the upgrade at some point, if that work is not already planned.
There was a problem hiding this comment.
If you click "Edit this page" on the documentation, it takes you to https://github.com/elastic/docs-content/edit/main/deploy-manage/tools/snapshot-and-restore/s3-repository.md
There was a problem hiding this comment.
Thanks! TIL. I'll add a second PR to address these changes.
There was a problem hiding this comment.
PR up here elastic/docs-content#1356
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3ServiceTests.java
Outdated
Show resolved
Hide resolved
…ries/s3/S3Service.java Co-authored-by: Dianna Hohensee <[email protected]>
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Outdated
Show resolved
Hide resolved
…ries/s3/S3Service.java Co-authored-by: Dianna Hohensee <[email protected]>
…ries/s3/S3Service.java Co-authored-by: Dianna Hohensee <[email protected]>
There was a problem hiding this comment.
+1 to this quick fix to address the ECH use case, but then I think we should follow-up with one that chooses between http and https according to the .protocol client setting to preserve the SDKv1 behaviour. I still think .protocol should be deprecated, we don't need to support both ways to set the URL scheme; I will be opening a breaking-change proposal to recommend the removal of all the SDK-bwc shims in v10, including this one.
(cherry picked from commit 8dc6bf8)
The `s3.client.CLIENT_NAME.protocol` setting became unused in elastic#126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in elastic#127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`.
The `s3.client.CLIENT_NAME.protocol` setting became unused in #126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in #127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`.
The `s3.client.CLIENT_NAME.protocol` setting became unused in elastic#126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in elastic#127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`. Backport of elastic#127744 to `8.19`
* Reinstate use of S3 `protocol` client setting The `s3.client.CLIENT_NAME.protocol` setting became unused in #126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in #127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`. Backport of #127744 to `8.19` * Fix up warning assertions
The `s3.client.CLIENT_NAME.protocol` setting became unused in elastic#126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in elastic#127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`.
The `s3.client.CLIENT_NAME.protocol` setting became unused in elastic#126843 as it is inapplicable in the v2 SDK. However, the v2 SDK requires the `s3.client.CLIENT_NAME.endpoint` setting to be a URL that includes a scheme, so in elastic#127489 we prepend a `https://` to the endpoint if needed. This commit generalizes this slightly so that we prepend `http://` if the endpoint has no scheme and the `.protocol` setting is set to `http`.
The protocol configuration option was removed in the AWS v2 client
Our interpretation of that was that we could provide a host name and the scheme would be defaulted/derived. The code appears to contradict that. While you can't specify the protocol using the
setProtocolanymore, it seems if you want to specify an endpoint override, it must include a scheme in the URI.See validation here
This PR just appends
https://when no scheme is specified. This seemed to match the defaulting of the new builder now thatsetProtocolhas been removed.We used to have code that used our
s3.client.{client-name}.protocolsetting to prepend a scheme if it were missing:elasticsearch/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Lines 205 to 222 in 4ce1d9c
I thought it was better to match the new client behaviour (defaulting to HTTPS) rather than resurrecting the
s3.client.{client-name}.protocolsetting (which was deprecated in the client upgrade). It seems the linked issue is not relevant to the v2 client behaviour.You can still use a HTTP server by setting the scheme explicitly in the
s3.client.{client-name}.endpointRelates: CP-10914