Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix S3 provider priorities #10004

Merged
merged 3 commits into from Dec 5, 2023
Merged

fix S3 provider priorities #10004

merged 3 commits into from Dec 5, 2023

Conversation

qqmyers
Copy link
Member

@qqmyers qqmyers commented Oct 11, 2023
edited

What this PR does / why we need it: This PR addresses priority issues that existed between the 3 types of credential providers used by S3 stores. Before - the global role-based creds, if set, would override the per store profile or instance credentials. Now they do not, and static creds won't be ignored if/when a default profile exists in the Unix account running Payara.
The PR also includes removal of a redundant check that the bucket exists that would run for every file access.

Which issue(s) this PR closes:

Closes #10003

Special notes for your reviewer: New priority rules are listed in a source comment. As this is a bug fix, it looks to me like the current guides say the right thing about priorities. So I don't see anything to change in the docs (without doing a big rewrite of the whole S3 setup section!). Similarly, since this is a bug fix for a reasonably rare case (role-based access was broken from 4.20 to 5.13, and you have to be using two different S3 providers), I don't know that anything is needed in the release notes.

Suggestions on how to test this:
Regression testing that S3 setup works. Depending on how far you want to go, you could check all the combinations of EC2 role based access is/isn't set, the S3 store has a .profile set or not, (the profile actually exists in the .aws/credentials file or not), and the static microprofile config is/isn't set and verify that setting a profile or static creds wins over the role based method, profile wins over static when both are set, setting nothing results in the default profile in the .aws/credentials file being used, etc. (I have tested at QDR that this fix works in the case where role-based creds exist and we have an S3 store that has to use a non-default profile instead.)

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Is there a release notes update needed for this change?:

Additional documentation:

@qqmyers qqmyers added the Size: 3 A percentage of a sprint. 2.1 hours. label Oct 11, 2023
@qqmyers qqmyers modified the milestone: 6.1 Oct 11, 2023
@qqmyers @poikilotherm
Good cleanup
dcca525 
Co-authored-by: Oliver Bertuch <poikilotherm@users.noreply.github.com>
@qqmyers qqmyers added this to the 6.1 milestone Oct 25, 2023
@scolapasta scolapasta added this to Ready for Review ⏩ in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34) via automation Oct 26, 2023
@pdurbin
Copy link
Member

pdurbin commented Nov 20, 2023

It would be nice to review and merge our new S3 tests...

... before reviewing, testing, and merging this PR.

@qqmyers qqmyers mentioned this pull request Nov 24, 2023
Closed
@pdurbin pdurbin changed the title IQSS/10003 fix s3 provider priorities fix S3 provider priorities Nov 28, 2023
pdurbin
pdurbin approved these changes Nov 28, 2023
View reviewed changes
Copy link
Member

@pdurbin pdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested this but I don't see anything obviously wrong with it. Approved.

IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34) automation moved this from Ready for Review ⏩ to Ready for QA ⏩ Nov 28, 2023
@jp-tosca jp-tosca self-assigned this Nov 30, 2023
@jp-tosca
Copy link
Contributor

It would be nice to review and merge our new S3 tests...

... before reviewing, testing, and merging this PR.

Do you still think this is the case? @pdurbin

@pdurbin
Copy link
Member

pdurbin commented Nov 30, 2023

It's not a hard requirement or anything.

@landreev landreev self-assigned this Dec 5, 2023
landreev
landreev reviewed Dec 5, 2023
View reviewed changes
src/main/java/edu/harvard/iq/dataverse/dataaccess/S3AccessIO.java
// much but potentially make the failure (in the unlikely case a bucket doesn't
// exist/just disappeared) happen slightly earlier (here versus at the first
// file/metadata access).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call.

@landreev
Copy link
Contributor

landreev commented Dec 5, 2023

Looking good.

@landreev landreev merged commit 94fffd8 into IQSS:develop Dec 5, 2023
10 checks passed
IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34) automation moved this from QA ✅ to Done 🚀 Dec 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@landreev landreev landreev left review comments

@poikilotherm poikilotherm poikilotherm left review comments

@pdurbin pdurbin pdurbin approved these changes

Assignees

@landreev landreev

@jp-tosca jp-tosca

Labels
Size: 3 A percentage of a sprint. 2.1 hours.
Projects
IQSS Dataverse Project
Status: No status
IQSS/dataverse (TO BE RETIRED / DELET...
Done 🚀
Milestone
6.1
Development

Successfully merging this pull request may close these issues.

#9206 appears to break non-AWS S3 storage when role-based access is used
5 participants
@qqmyers @pdurbin @jp-tosca @landreev @poikilotherm