Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloud-aws plugin: Option to explicitly set x-amz-acl: Private #14103

Closed
JamesBromberger opened this issue Oct 14, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@JamesBromberger
Copy link

commented Oct 14, 2015

While ACL Private is a default, it would be nice to permit ElasticSearch nodes to explicitly set the desired ACL for the snapshots they create. This can then be validated by an S3 Bucket Policy, which can reject clients that try to upload objects to S3 that aren't set as Private.

http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

@clintongormley

This comment has been minimized.

Copy link
Member

commented Oct 14, 2015

@dadoonet thoughts?

@dadoonet

This comment has been minimized.

Copy link
Member

commented Oct 14, 2015

It makes sense to me to support such an option.

@clintongormley clintongormley added help wanted and removed discuss labels Oct 14, 2015

@clintongormley

This comment has been minimized.

Copy link
Member

commented Oct 14, 2015

@JamesBromberger fancy sending a PR?

@JamesBromberger

This comment has been minimized.

Copy link
Author

commented Oct 14, 2015

Sorry, I'm not a Java dev, so I have no faith that any Java I would try would even compile. But a rough draft as a patch, totally untested, uncompiled, and unsure if this helps:
https://www.james.rcpt.to/misc/elasticsearch-repo-s3-cannedACL.diff

@JamesBromberger

This comment has been minimized.

Copy link
Author

commented Oct 27, 2015

Would be useful to also permit admins to set an "x-amz-acl" header of "bucket-owner-full-control" to enable sending snapshots to an S3 bucket owned by another account for escrow/compliance purposes and letting that separate account own the objects deposited there.

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.