Manager restore error (kms_error AccessDeniedException) for multiDC cluster with EAR enabled #3871
Comments
|
@fruch |
So, as a first step check the |
|
Hey @vponomaryov, Thanks for your reply.
|
No. Scylla gets configured with the KMS keys by their aliases. It doesn't check keys equality.
Again, need to understand the steps done in the test and why it is so? I don't see proofs that the mgmt test approach is correct. |
I got your point. Okay, I need to dig deeper into the test itself because what I did is only changed the version of Scylla (from 2022 to 2024) for the
Agree. |
|
@vponomaryov I'm wondering does the current implementation allow to disable Scylla Encryption? From what I see in the code the encryption will be enabled by default for:
And I don't see any ways to correctly disable it except providing any non-equal to |
Just update the config the following way: |
Got it, thanks |
|
Just to emphasize, the scylla causing the issue is the one installed on the monitor node for manager We never tested it with KMS enabled, since the SCT code is written to enable KMS by default in the supported versions, it got enabled. There is no reason it shouldn't be working, I'm guessing it's just a configuration error picking the wrong region in scylla.yaml configuration, and should be fixed. |
Hm, I thought that the problem is in cluster nodes (in one of the region) because while going through logs I've seen this error for @fruch How to understand that the problem here is related to monitor node? |
I take it back, I was confused cause of the name of node had manger in it Yes it's the DB nodes, and yes the expectation is that the manager is putting the stables back in the same nodes or at least the same region I don't know what the cloud did by default, but if it's not multi-region keys, restore for multi region setup would be broken We can't disable KMS before understanding the situation |
@karol-kokoszka Could you please elaborate on this? |
To make it working the way that SSTables are sent to the same region (DC), you must specify the DC when adding location to the restore task https://manager.docs.scylladb.com/stable/sctool/restore.html#l-location "The format is [:]:. The parameter is optional. It allows you to specify the datacenter whose nodes will be used to restore the data from this location in a multi-dc setting, it must match Scylla nodes datacenter. By default, all live nodes are used to restore data from specified locations." If the DC is not specified in the location, then it may be sent to any node. I guess you must restore multiDC cluster, DC by DC when the encryption at rest is enabled. |
It means that backup should be also done with --location option specified with every cluster's DC, right? |
I don't think it's necessary. |
In such case I suppose, I need to know which DC to use during restoring and specifically which key was used to encrypt the SSTables during backup, right? Does sctool provides such opportunity? |
SCTool does not concern itself with encryption at rest and is not aware of the keys used to encrypt SSTables. Therefore, it is unnecessary for you to know which keys were used during the backup process. It is the responsibility of the Scylla server to manage decryption of the data. When SM (presumably Scylla Manager) employs the load & stream feature for restoration, it calls the Scylla server and passes the SSTable. Subsequently, Scylla is tasked with identifying the appropriate node to which the SSTable should be streamed. I presume that Scylla must first decrypt the SSTable in order to determine the correct destination for streaming. In the scenario you described with this issue, there is a possibility that an SSTable encrypted with a key stored in a different region was sent to a node lacking access to the Key Management Service (KMS) in that region. To mitigate this issue, it is advisable to restore data center (DC) by data center (DC), ensuring that SSTables encrypted with a specific key (e.g., key A) are decrypted with the corresponding key A. |
Thanks a lot for detailed explanation, I'll experiment |
|
@karol-kokoszka could you please take a look? I made an attempt to restore specifying two locations - one for every DC. |
|
@mikliapko this is somewhat of SM limitation/bug - that you can't specify given location with many DCs and other location with other DC. How many DCs do you have in the restore destination cluster? If only mentioned 2, then you can run restore with a single location without DC specified (it will use all nodes with location access for restoring the data). |
|
@Michal-Leszczynski the goal is to restore DC by DC. And to send node data from DC A to the nodes from DC A. @mikliapko Please just use separate restore tasks, one per DC. |
|
But something like this is not supported by SM right now. When location is specified, nodes with access (or nodes from specified DC with access) to it restore the whole backup data from this location. So one would need truly separate backup locations for this purpose. |
If so, then this is a bug, that we must address in some of the upcoming releases. Backup location structure, explicitly defines the tree path to exact DC. Restore must take advantage of it. We may have problems with multiDC EaR without it. |
Sanity tests on debian11, ubuntu22 and ubuntu24 switched to be run on multiDC cluster. This configuration was already in place some time ago before issue scylladb/scylla-manager#3871 was found. After that Manager jobs were switched to run only on singleDC cluster (scylladb#7435). And since the fix for Manager is ready now, multiDC setup can be brought back.
Now, even if host failed to restore given batch it can still try to restore batches originating from different dcs. This improves retries in general, but also should help with #3871.
Now, even if host failed to restore given batch it can still try to restore batches originating from different dcs. This improves retries in general, but also should help with #3871.
|
Funny thing - I switched some of Manager tests back to run on multiDC cluster - they work, no failures. @vponomaryov I suppose you should know better if there were any changes to SCT that might have resulted in such behavior? |
@fruch Perhaps you know something about it? |
I don't know, you'll have to look into the logs to confirm KMS was working at all. We didn't change the way kms is setup since this issue was opened. Maybe the test is now shorted and we haven't yet rotated the keys ? (I don't remember the initial issue here) |
It shouldn't be something related to rotation, I believe, since the initial issue was related to the single-region keys. Alright, I'll dig deeper into what might have changed since that time. |
Sanity tests on debian11, ubuntu22 and ubuntu24 switched to be run on multiDC cluster. This configuration was already in place some time ago before issue scylladb/scylla-manager#3871 was found. After that Manager jobs were switched to run only on singleDC cluster (scylladb#7435). And since the fix for Manager is ready now, multiDC setup can be brought back.
|
@fruch @vponomaryov For my case, I have multiDC cluster with nodes in two regions - I suppose this issue was introduced here since changing the line from: to: resolved configuration issue. |
|
SCT issue reported - scylladb/scylla-cluster-tests#9025 |
* feat(restore): make batches retryable Now, if batch restoration failed on one node, it can still be retried by other nodes. Failed node is no longer used for the restore. Fixes #4065 * feat(restore_test): test batch retry This commit adds TestRestoreTablesBatchRetryIntegration, which injects errors during download and LAS step and validates that restore finished successfully despite them (thanks to batch retries). * refactor(restore): flatten workload structure After giving it some more thought, I decided to flatten workload structure. Instead of having location/table/dir layers, now everything operates on the dir layer. It makes the implementation easier, especially for the upcoming changes related to node retries. * feat(restore): add host retries Now, even if host failed to restore given batch it can still try to restore batches originating from different dcs. This improves retries in general, but also should help with #3871. * feat(restore): extend batch test with host retry This commit extends TestBatchDispatcher to include failures in its scenario and to validate host retry in a different datacenter. * refactor(restore): make batchDispatcher more comprehensible Previously Workload structure was created during indexing and was updated during batching in order to keep its progress. This was confusing, because it wasn't obvious whether size and SSTable fields were describing the initial Workload state or the updated one. This commit makes it so Workload structure is not changed during batching. Instead, workloadProgress was added to in order to store batching progress. Moreover, this commit also adds a lot of documentation about batchDispatcher internal behavior. * fix(restore): free host when it can't restore anymore Consider a scenario with parallel=1 and multi-dc and multi-location. Note that SM is using 'parallel.Run' for restoring in parallel. Note that previous batching changes made host hang in 'batchDispatcher.DispatchBatch' if there were no more SSTables to restore, because it was still possible that another node failed to restore some SSTables, so that the hanging host could be awakened and restore failed SSTables returned to batchDispatcher. All of this meant that batching process could hang, because 'parallel.Run' would allow only a single host to restore SSTables at the time, but batching mechanism wouldn't free it until all SSTables are restored. Another scenario when batching mechanism could fail would be that all hosts failed (with re-tries) to restore all SSTables. Because of that, I changed batching mechanism to be more DC oriented. Now, 'workloadProgress' keeps track of remaining bytes to be restored per DC, and it also keeps host DC access instead of location access (the assumption being that a single DC can be backed up to only single location). This information allow to free hosts that can't restore any SSTables because they either already failed to restore some SSTables from given DCs, or all SSTables from given DCs were already restored. * feat(restore): improve context cancelling during batching I'm not sure if previous behavior was bugged, but changes introduced in this commit should make it more clear that batching mechanism respects context cancellation. This commit also adds a simple test validating that pausing restore during batching ends quickly.
|
Issue description
Manager restore operation returns
kms_error AccessDeniedExceptionfor multiDC cluster with EAR enabled.Full error message:
Found exception: kms_error (AccessDeniedException: User: arn:aws:iam::797456418907:role/qa-scylla-manager-backup-role is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access)The issue has been observed just recently after we tried to switch Managet SCT tests to run against Scylla 2024.1 instead of 2022.
Impact
The restore operation returns this error multiple times during one run but the whole process finishes successfully. The reason of that I suppose in kms availability of some nodes of the cluster.
How frequently does it reproduce?
Every restore operation performed in such configuration.
Installation details
SCT Version: 31ff1e87d830ce7fe2587e0c609d113d2f66f8a4
Scylla version (or git commit hash): 2024.1.3-20240401.64115ae91a55
Logs
The text was updated successfully, but these errors were encountered: