Comments (16)
@romayalon I agree with you.
just for it to be clear the long-term solution would be to change the config structure and map the account and bucket IDs to the config file, and use only these IDs as a reference.
I didn't close the issue because the fix is partial.
from noobaa-core.
@anandhu-karattu
Can you share the I/O failure you see?
from noobaa-core.
I am trying to upload an object in to the bucket "bucket-old", it is failing
[root@anan-rhel921 ~]# AWS_ACCESS_KEY_ID=BjLLk92yXAEFxOKaOFyA AWS_SECRET_ACCESS_KEY=xYPDVxbTaH6g8b42T2ecOk/j3I53spnA/JkDtEi2 aws --endpoint https://10.11.71.87:6443 --no-verify-ssl s3 cp awscliv2.zip s3://bucket-old
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.11.71.87'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
upload failed: ./awscliv2.zip to s3://bucket-old/awscliv2.zip An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
Issue is only with the existing buckets , since the owner name is not updated to new_name.
from noobaa-core.
Hi @anandhu-karattu,
I added a fix for this issue, please pay attention that it is a short-term fix:
- After this fix, the S3 request should not return an error.
- But the buckets that the account owns still have the properties
system_owner
andbucket_owner
with the previous name (in the bucket config) <- this would be handled in a long-term fix
I'm adding the label "Request Validation" so you can test it (and not close it for now).
cc: @romayalon
from noobaa-core.
- After this fix, the S3 request should not return an error.
What does this mean? @shirady
from noobaa-core.
@anandhu-karattu I meant for the error Access Denied
.
from noobaa-core.
@anandhu-karattu @shirady Shira fixed the IO failure but not the actual update of the bucket config.json, a fix for the update will be taken care in #7734, Shira please keep me honest here.
from noobaa-core.
Verified on build "noobaa-core-5.15.4-20240605.el9.x86_64"
Looks like the IO FAILURE is still there.
How to reproduce:
- Create an account > Bucket > Upload object in to bucket ==> PASS
- Change the account name to new name ==> PASS
[root@anan-21 ~]# noobaa-cli account update --name account-65675 --new_name account_test_new
{
"response": {
"code": "AccountUpdated",
"reply": {
"_id": "6662ad6dc999b40f7e95e9bf",
"name": "account_test_new",
"email": "account_test_new",
"creation_date": "2024-06-07T06:49:17.510Z",
"access_keys": [
{
"access_key": "5ZQ5YaCYDOGfZhDC07sM",
"secret_key": "JpEojbabc57kMfNk/rGBPUW0bW/jTHWXwqhLfIJs"
}
],
"nsfs_account_config": {
"uid": 3844,
"gid": 4890,
"new_buckets_path": "/mnt/gpfs0/account_65675/",
"fs_backend": "GPFS"
},
"allow_bucket_creation": true,
"master_key_id": "6662ad6dadbc37d3ecb52d68"
}
}
}
- Upload the object again to the same bucket ==> FAILED with access denied error
[root@akarattuparambil-scale-host ~]# AWS_ACCESS_KEY_ID=5ZQ5YaCYDOGfZhDC07sM AWS_SECRET_ACCESS_KEY=JpEojbabc57kMfNk/rGBPUW0bW/jTHWXwqhLfIJs aws --endpoint https://10.0.100.21:6443 --no-verify-ssl s3 cp awscliv2.zip s3://bucket-65675
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.100.21'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
upload failed: ./awscliv2.zip to s3://bucket-65675/awscliv2.zip An error occurred (AccessDenied) when calling the UploadPart operation: Access Denied
from noobaa-core.
@shirady looks like the fix is failing for me. Can you please check the issue again?
from noobaa-core.
This is the corresponding error found in noobaa.log
Jun 7 14:45:36 anan-21 [230684]: [nsfs/230684] [L0] core.sdk.bucketspace_fs:: BucketSpaceFS.read_bucket_sdk_info: bucket_config_path /mnt/cesSharedRoot/ces/s3-config/buckets/bucket-65675.json
Jun 7 14:45:36 anan-21 [230684]: [nsfs/230684] [L0] core.sdk.bucketspace_fs:: BucketSpaceFS.read_bucket_sdk_info: bucket_config_path /mnt/cesSharedRoot/ces/s3-config/buckets/bucket-65675.json
Jun 7 14:45:36 anan-21 [230684]: [nsfs/230684] [ERROR] core.endpoint.s3.s3_rest:: S3 ERROR <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/bucket-65675/awscliv2.zip?uploads</Resource><RequestId>lx4oj92t-f3f5kt-oxw</RequestId></Error> POST /bucket-65675/awscliv2.zip?uploads {"host":"10.0.100.21:6443","accept-encoding":"identity","content-type":"application/zip","user-agent":"aws-cli/2.15.30 Python/3.11.8 Linux/4.18.0-477.10.1.el8_8.x86_64 exe/x86_64.rhel.8 prompt/off command/s3.cp","x-amz-date":"20240607T124536Z","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=5ZQ5YaCYDOGfZhDC07sM/20240607/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=5476b626e3c290390c773896cf9c2276ba88c9eead4bccfcc293d4f8fc8b4b9b","content-length":"0"} Error: Access Denied at authorize_request_policy (/usr/local/noobaa-core/src/endpoint/s3/s3_rest.js:243:15) at async Promise.all (index 1) at async authorize_request (/usr/local/noobaa-core/src/endpoint/s3/s3_rest.js:205:5) at async handle_request (/usr/local/noobaa-core/src/endpoint/s3/s3_rest.js:115:5) at async Object.s3_rest [as handler] (/usr/local/noobaa-core/src/endpoint/s3/s3_rest.js:65:9)
from noobaa-core.
@anandhu-karattu we didn't backport it to stage_5.15.4...
@madhuthorat please evaluate this priority and let us know if this should be backported..
cc: @nimrod-becker
from noobaa-core.
@romayalon we are not supporting account name update in scale release 5.2.1.
So this fix is not mandatory for us in 5.15.4 @madhuthorat
But we may support this in future releases, so we will expect a future fix (complete fix as per your plan)
from noobaa-core.
@romayalon we are not supporting account name update in scale release 5.2.1. So this fix is not mandatory for us in 5.15.4 @madhuthorat But we may support this in future releases, so we will expect a future fix (complete fix as per your plan)
Right, we won't support accountName update in CES S3 MVP GA, so please take a call if you want to add to 5.15.4 or not.
from noobaa-core.
@madhuthorat @anandhu-karattu We decided not to backport it to 5.15.4,
@anandhu-karattu could you validate it on master?
from noobaa-core.
Verified on build "noobaa-core-5.17.0-20240617.el9.x86_64"
There is no access denied error this time. (verification steps are mentioned above)
Marking as verified. @romayalon @shirady
from noobaa-core.
Hi,
The short-term solution was verified (see comment above):
- Removing the "request validation" label as it was validated.
- I will remove myself from the assignee since another developer might be assigned for the fix of the long-term solution
cc: @romayalon
from noobaa-core.
Related Issues (20)
- Nc | NSFS | Creating a Bucket with Name That Is the Same as a Internal Directory Throws `BucketAlreadyExists` HOT 1
- NC | Implement logs gathering mechanism
- aws s3 rm with --recursive option does not delete all the objects from the bucket HOT 6
- nsfs metrics from metrics port 7004 are only implemented over http. This should be changed to https as default.
- NC | NSFS | CLI | Events Improvements HOT 2
- NC | NSFS | CLI | Improve Response (To have Details)
- NC | NSFS | Log events to stderr if stderr is enabled
- S3 GetObjectAttributes API - implement new op for compatibility
- [System Test][5.2.1.0] 4k warp workload fails on power architecture because it does not finish closing the connections it opens HOT 2
- List objects with unicode - should sort keys using byte-by-byte order and not using utf8 sort order
- NSFS | Bucket is not listing when the bucket --path missing backslash(/) at the beginning of path HOT 2
- NSFS | RPM build is not generating NSFS RPM HOT 1
- S3 head-bucket should return a header with the service identifier (config option)
- NSFS | S3 | Versioning | List objects returns .versions/ folder HOT 1
- NSFS | NC | List Buckets Fails With `InvalidBucketState` In Case a Bucket Has Invalid Schema Config File
- Acess Denied for S3 buckets is not reporting HOT 1
- NSFS | NC | GLACIER restore flow needs to handle `ENOENT`
- NC | Maintenance and Short Refactoring Tasks
- NC | NSFS | Bucket Policy Should Be Managed Only by Bucket Owner HOT 2
- NC | NSFS | Updating Account's UID and GID Results in `AccessDenied` in Put-Object
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from noobaa-core.