-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue S3 web identity token refresh call with sufficient permissions #119748
Conversation
Hi @pxsalehi, I've created a changelog YAML for you. |
The fix is simple. I'm working on a test. As the issue is pretty clear, we could also merge this and follow up with a test. I'm gonna leave this on draft until I figure out an IT (probably based on |
This reverts commit 7339307.
…asticsearch into ps250108-stsRefreshPrivilege
I tried to reproduce this with an IT in 7339307, based on In any case, I think the fix on its own is valid. The rest test is also not ideal even if it works, since it relies on periodic (60s) intervals to pick up the file change. |
Pinging @elastic/es-distributed-coordination (Team:Distributed Coordination) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I think you may need test with real s3 to make it fail or a fixture that is not running on localhost. The permission check is for "connect,resolve". If a connection is already available in the pool, it may not trigger either. I had similar experience, see also #108280 (comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It would be great if you can confirm this does fix the issue with some manual test if automated test is not feasible.
Thanks, both!
Yeah, you're right. That is the "why". As i mentioned, if I add an early refresh call, I can see the permission issue.
A slightly different ordering of the dirty IT I had, does reproduce the exact exception and shows that the fix gets rid of it. See here. Considering this is about the permission issue not the STS stuff per se, I'm gonna leave it at that. An automated test would also not work in this specific setup due to how we check for the file change. I also don't think it is worth the hassle to setup a whole ECK with STS scenario. |
💚 Backport successful
|
…119748) (#119840) Closes #119747 Co-authored-by: Felix Barnsteiner <[email protected]>
I suggest we backport this bug fix to 8.16 and 8.17 as well. What do you think? |
Closes #119747