Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3's check-path is not specific enough #30709

Closed
kennytm opened this issue Mar 18, 2021 · 6 comments · Fixed by #30674
Closed

S3's check-path is not specific enough #30709

kennytm opened this issue Mar 18, 2021 · 6 comments · Fixed by #30674
Assignees
@glorv

Comments

@kennytm
Copy link
Contributor

kennytm commented Mar 18, 2021

Please answer these questions before submitting your issue. Thanks!

1. What did you do?

  1. dump some SQL files into s3://some-bucket/some-prefix/ on AWS S3.
  2. create a role, give it the s3:ListBucket and s3:GetObject permission, conditioned with s3:prefix=some-prefix/.
  3. run Lightning using that role

2. What did you expect to see?

successfully restored.

3. What did you see instead?

failed due to an unnecessary HeadBucket call:

tidb lightning encountered error:  create storage failed: Bucket some-bucket is not accessible: Forbidden: Forbidden
        status code: 403, request id: ..., host id: ...: [BR:ExternalStorage:ErrStorageInvalidConfig]invalid external storage config

4. What version of BR and TiDB/TiKV/PD are you using?

master
@kennytm
Copy link
Contributor Author

kennytm commented Mar 18, 2021

Note: affects all users of br/pkg/storage, including BR itself (can workaround with --skip-check-path), TiCDC and Dumpling (both have SkipCheckPath hard-coded to false).

@handlerww
Copy link

handlerww commented Mar 18, 2021
edited
Loading

Reproduce:

  1. Create IAM policy, use this JSON, modify the content in Condition to your test subpath.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "subdir/*"
                }
            }
        }
    ]
}

You can refer to this article: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

  1. Create a IAM role, attach the policy created before to this role

  2. Set IAM role of EC2 to a certain role

image

@glorv glorv closed this as completed Mar 26, 2021
@glorv glorv reopened this Mar 26, 2021
@lonng
Copy link
Contributor

lonng commented May 27, 2021

@glorv Seems this bug had been fixed in pingcap/br#899, can we close this issue?

@glorv
Copy link
Contributor

glorv commented Jun 2, 2021

closed in favor of pingcap/dumpling#286 and https://github.com/pingcap/ticdc/pull/1890

@glorv glorv closed this as completed Jun 2, 2021
@lance6716 lance6716 transferred this issue from pingcap/br Dec 14, 2021
@lance6716
Copy link
Contributor

open since master didn't fix it

tidb/br/pkg/lightning/lightning.go

Line 294 in ac25e9f

s, err := storage.New(ctx, u, &storage.ExternalStorageOptions{})

tidb/br/pkg/storage/s3.go

Lines 287 to 292 in ac25e9f

if !opts.SkipCheckPath {
err = checkS3Bucket(c, &qs)
if err != nil {
return nil, errors.Annotatef(berrors.ErrStorageInvalidConfig, "Bucket %s is not accessible: %v", qs.Bucket, err)
}
}

@lance6716 lance6716 reopened this Dec 14, 2021
@lance6716
Copy link
Contributor

/assign @glorv

@glorv glorv mentioned this issue Dec 14, 2021
Merged
12 tasks
This was referenced Dec 14, 2021
Merged
Merged
ti-chi-bot pushed a commit that referenced this issue Feb 18, 2022
@ti-srebot
lightning: Add source dir existence check for s3 (#30674) (#30714)
82f51b7 
close #28031, close #30709
@guo-shaoge guo-shaoge mentioned this issue Feb 25, 2022
Merged
15 tasks
ti-chi-bot pushed a commit that referenced this issue Apr 13, 2022
@ti-srebot
lightning: Add source dir existence check for s3 (#30674) (#30713)
998f38e 
close #28031, close #30709
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@glorv glorv

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

lightning: Add source dir existence check for s3 glorv/tidb
5 participants
@kennytm @lonng @lance6716 @handlerww @glorv