Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix S3 provider priorities #10004

Conversation

qqmyers
Copy link
Member

@qqmyers qqmyers commented Oct 11, 2023

What this PR does / why we need it: This PR addresses priority issues that existed between the 3 types of credential providers used by S3 stores. Before - the global role-based creds, if set, would override the per store profile or instance credentials. Now they do not, and static creds won't be ignored if/when a default profile exists in the Unix account running Payara.
The PR also includes removal of a redundant check that the bucket exists that would run for every file access.

Which issue(s) this PR closes:

Closes #10003

Special notes for your reviewer: New priority rules are listed in a source comment. As this is a bug fix, it looks to me like the current guides say the right thing about priorities. So I don't see anything to change in the docs (without doing a big rewrite of the whole S3 setup section!). Similarly, since this is a bug fix for a reasonably rare case (role-based access was broken from 4.20 to 5.13, and you have to be using two different S3 providers), I don't know that anything is needed in the release notes.

Suggestions on how to test this:
Regression testing that S3 setup works. Depending on how far you want to go, you could check all the combinations of EC2 role based access is/isn't set, the S3 store has a .profile set or not, (the profile actually exists in the .aws/credentials file or not), and the static microprofile config is/isn't set and verify that setting a profile or static creds wins over the role based method, profile wins over static when both are set, setting nothing results in the default profile in the .aws/credentials file being used, etc. (I have tested at QDR that this fix works in the case where role-based creds exist and we have an S3 store that has to use a non-default profile instead.)

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Is there a release notes update needed for this change?:

Additional documentation:

@qqmyers qqmyers added the Size: 3 A percentage of a sprint. 2.1 hours. label Oct 11, 2023
@qqmyers qqmyers modified the milestone: 6.1 Oct 11, 2023
Co-authored-by: Oliver Bertuch <poikilotherm@users.noreply.github.com>
@qqmyers qqmyers added this to the 6.1 milestone Oct 25, 2023
@pdurbin
Copy link
Member

pdurbin commented Nov 20, 2023

It would be nice to review and merge our new S3 tests...

... before reviewing, testing, and merging this PR.

@pdurbin pdurbin changed the title IQSS/10003 fix s3 provider priorities fix S3 provider priorities Nov 28, 2023
Copy link
Member

@pdurbin pdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested this but I don't see anything obviously wrong with it. Approved.

@jp-tosca jp-tosca self-assigned this Nov 30, 2023
@jp-tosca
Copy link
Contributor

It would be nice to review and merge our new S3 tests...

... before reviewing, testing, and merging this PR.

Do you still think this is the case? @pdurbin

@pdurbin
Copy link
Member

pdurbin commented Nov 30, 2023

It's not a hard requirement or anything.

@landreev landreev self-assigned this Dec 5, 2023
// much but potentially make the failure (in the unlikely case a bucket doesn't
// exist/just disappeared) happen slightly earlier (here versus at the first
// file/metadata access).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call.

@landreev
Copy link
Contributor

landreev commented Dec 5, 2023

Looking good.

@landreev landreev merged commit 94fffd8 into IQSS:develop Dec 5, 2023
9 checks passed
@qqmyers qqmyers deleted the IQSS/10003-fix_S3_provider_priorities branch May 17, 2024 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Size: 3 A percentage of a sprint. 2.1 hours.
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

#9206 appears to break non-AWS S3 storage when role-based access is used
5 participants