Default S3 endpoint scheme to HTTPS when not specified #127489
Conversation
nicktindall
added
>bug
:Distributed Coordination/Snapshot/Restore
elasticsearchmachine
added
Team:Distributed Coordination
|
Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination) |
|
Hi @nicktindall, I've created a changelog YAML for you. |
|
The change makes sense to me. Just a minor comment on the label: Since #126843 is not released, this PR should be a |
| if ((endpoint.startsWith("http://") || endpoint.startsWith("https://")) == false) { | ||
| // Default protocol to https if not specified | ||
| // See https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/client-configuration.html#client-config-other-diffs | ||
| endpoint = "https://" + endpoint; |
There was a problem hiding this comment.
Another minor comment: It might be useful to have an INFO log here? If the cluster was relying on an explicit http protocol setting and default to https here would not work for them. In that case, it feels useful to see a log message to indicate this have happened? Since #126843 is a breaking change, I am not entirely sure what the expectation is for end-users. It would be a moot point if they are expected to fix the protocol and endpoint settings before upgrade.
There was a problem hiding this comment.
That's a good point, I'll add one
There was a problem hiding this comment.
Added in d3836c4
| s3clientBuilder.endpointOverride(URI.create(clientSettings.endpoint)); | ||
| String endpoint = clientSettings.endpoint; | ||
| if ((endpoint.startsWith("http://") || endpoint.startsWith("https://")) == false) { | ||
| // Default protocol to https if not specified |
There was a problem hiding this comment.
| // Default protocol to https if not specified | |
| // The SDK does not know how to interpret endpoints without a scheme prefix and will error. Therefore, when the scheme is | |
| // absent, we'll supply HTTPS as a default to avoid errors. |
| @@ -254,7 +254,14 @@ protected S3ClientBuilder buildClientBuilder(S3ClientSettings clientSettings, Sd | |||
| } | |||
|
|
|||
| if (Strings.hasLength(clientSettings.endpoint)) { | |||
| s3clientBuilder.endpointOverride(URI.create(clientSettings.endpoint)); | |||
| String endpoint = clientSettings.endpoint; | |||
| if ((endpoint.startsWith("http://") || endpoint.startsWith("https://")) == false) { | |||
There was a problem hiding this comment.
I don't understand why the original code, and now this code, prepends HTTP endpoints with HTTPS? Am I misreading this somehow? 🤔 endpoint.startsWith("https://")) == false would override everything.
| // Default protocol to https if not specified | ||
| // See https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/client-configuration.html#client-config-other-diffs | ||
| endpoint = "https://" + endpoint; | ||
| LOGGER.info("Defaulting to https for endpoint with no scheme [{}]", clientSettings.endpoint); |
There was a problem hiding this comment.
For other backward compatibility issues that we handle gracefully, we added a WARN log message. Since AWS requires a scheme on the endpoint, I'm leaning towards a WARN here, too.
IIUC, this is a stop-gap for CP-10914 to fix the issue? If the downstream teams intend to change this, then their warning message would eventually be fixed, and that sounds reasonable to me. I think I ideally we wouldn't want to support this forever?
| // Default protocol to https if not specified | ||
| // See https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/client-configuration.html#client-config-other-diffs | ||
| endpoint = "https://" + endpoint; | ||
| LOGGER.info("Defaulting to https for endpoint with no scheme [{}]", clientSettings.endpoint); |
There was a problem hiding this comment.
Could you make this message more like other warnings we have that explain what should have been done and how to fix it?
It's a feature of AWS, at this point, not a bug, so it would be best for users to convert to the interface expectations, and not for us to handle it, I'm thinking.
| mock(ResourceWatcherService.class), | ||
| () -> Region.of("es-test-region") | ||
| ); | ||
| String servername = randomIdentifier() + ".ignore"; |
There was a problem hiding this comment.
endpointWithoutScheme?
servername seems like surprising terminology, but maybe I'm missing the context.
The protocol configuration option was removed in the AWS v2 client
Our interpretation of that was that we could provide a host name and the scheme would be defaulted/derived. The code appears to contradict that. While you can't specify the protocol using the
setProtocolanymore, it seems if you want to specify an endpoint override, it must include a scheme in the URI.See validation here
This PR just appends
https://when no scheme is specified. This seemed to match the defaulting of the new builder now thatsetProtocolhas been removed.We used to have code that used our
s3.client.{client-name}.protocolsetting to prepend a scheme if it were missing:elasticsearch/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java
Lines 205 to 222 in 4ce1d9c
I thought it was better to match the new client behaviour (defaulting to HTTPS) rather than resurrecting the
s3.client.{client-name}.protocolsetting (which was deprecated in the client upgrade). It seems the linked issue is not relevant to the v2 client behaviour.You can still use a HTTP server by setting the scheme explicitly in the
s3.client.{client-name}.endpointRelates: CP-10914