unable to backup; error message isn't helping.. #135
Comments
|
Weird. This morning, I also see this in the logs: |
-JZ On Jul 10, 2013, at 9:07 AM, Charlie Schluting notifications@github.com wrote:
|
-JZ |
|
In any event, I'll try to add a better logging messaging for this. On Jul 9, 2013, at 5:15 PM, Charlie Schluting notifications@github.com wrote:
|
|
Thanks - that's what I expected. Log Index Dir is set to /data/exhibitor/, and that directory is owned by zookeeper. I even tried mode 0777 to test if something weird was going on, like some process was dropping privs. Nada. |
|
OK - I'll be building a new Exhibitor in the next day or so and I'll add more logging. Hopefully, that will help get to the bottom of this. -JZ On Jul 10, 2013, at 9:29 AM, Charlie Schluting notifications@github.com wrote:
|
|
The new version of Exhibitor is available. Let me know if the additional logging has helped narrow the issue. |
|
Thanks! Turns out, I now see 'S3 access denied' errors on stdout (of the exhibitor process). But FYI, the Web interface still just says "Access denied" without identifying what it's referring to. Which makes no sense... I'm sure the IAM role is correct. And config syncing to a different bucket (similar policy) is working perfectly. I'm going to ask AWS - BTW love that the transaction ID is in the error message :) |
|
At this point I believe this to be an AWS config issue of some kind and will close the issue. Please re-open if you find something else. |
|
Hi @Randgalt - turns out, Exhibitor tries to list the bucket before even starting indexing. So, if someone (like me!) configures a prefix key, and then uses IAM to grant access only to that path, it will fail. Exhibitor apparently needs access to list the bucket contents too. (i.e. the IAM policy must grant access to the bucket name - with NO trailing slash! - as well as the full path that's being used for backups). I would suggest that Exhibitor only needs to list the bucket+key_prefix, to check for existing backups.. Thanks for your help! |
|
Same issue. 403 because exhibitor attempts to access outside the key-prefix. Once I edited my IAM policy to remove the key prefix restriction, exhibitor worked. This is IMO a legitimate bug... |
|
A PR with the fix would be appreciated. |
I have backups configured for S3. When I try to create an index, I get this in the log:
Tue Jul 09 23:47:17 GMT 2013 ERROR Building Index (Access Denied)
I'm also using s3 to store the configs, and that's working perfectly. I've created an appropriate IAM ACL for the backup location too.
Locally, the Log Index Dir, is owned by the exhibitor user and is writable (but empty).
I even tried strace -f'ing the JVM to see what was denied. I can't see any open() calls to the log index dir failing.
How can I get more verbose logging? Or, if anyone has ideas about what to check RE: 'Access Denied', I'm all ears :)
TIA
(running 1.4.8)
The text was updated successfully, but these errors were encountered: