S3 repository rejects access with documented `s3:prefix` condition

[DaveCTurner]

A user reports problems with the S3 repository plugin in 6.5.0:

{
 "error": {
  "root_cause": [
   {
    "type": "repository_exception",
    "reason": "[s3_test] cannot create blob store"
   }
  ],
  "type": "repository_exception",
  "reason": "[s3_test] cannot create blob store",
  "caused_by": {
   "type": "illegal_argument_exception",
   "reason": "you do not have permissions to access the bucket REDACTED",
   "caused_by": {
    "type": "amazon_s3_exception",
    "reason": "amazon_s3_exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: REDACTED; S3 Extended Request ID: REDACTED )"
   }
  }
 },
 "status": 500
}

They have an IAM policy that includes a statement like the one in the reference manual:

    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "foo/*"
          ]
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::snaps.example.com"
      ]
    },

If they remove the Condition block then access is granted. I think Elasticsearch changed how it checks for bucket existence in #34123 and it's possible that the new check is no longer within the bounds of this policy. I haven't confirmed this hypothesis yet.

[elasticmachine]

Pinging @elastic/es-distributed

[maggiejg]

The following logs were provided by the user to supplement troubleshooting this issue:

[2018-11-19T22:05:41,444][WARN ][r.suppressed             ] [single-instance] path: /_snapshot/s3_repo, params: {pretty=, repository=s3_repo}
org.elasticsearch.repositories.RepositoryException: [s3_repo] cannot create blob store
	at org.elasticsearch.repositories.blobstore.BlobStoreRepository.blobStore(BlobStoreRepository.java:336) ~[elasticsearch-6.5.0.jar:6.5.0]
	at org.elasticsearch.repositories.s3.S3Repository.blobStore(S3Repository.java:258) ~[?:?]
	at org.elasticsearch.repositories.blobstore.BlobStoreRepository.startVerification(BlobStoreRepository.java:630) ~[elasticsearch-6.5.0.jar:6.5.0]
	at org.elasticsearch.repositories.RepositoriesService.lambda$verifyRepository$2(RepositoriesService.java:218) ~[elasticsearch-6.5.0.jar:6.5.0]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:624) [elasticsearch-6.5.0.jar:6.5.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_191]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_191]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]
Caused by: java.lang.IllegalArgumentException: you do not have permissions to access the bucket [REDACTED]
	at org.elasticsearch.repositories.s3.S3BlobStore.lambda$new$0(S3BlobStore.java:79) ~[?:?]
	at org.elasticsearch.repositories.s3.SocketAccess.lambda$doPrivilegedVoid$0(SocketAccess.java:57) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
	at org.elasticsearch.repositories.s3.SocketAccess.doPrivilegedVoid(SocketAccess.java:56) ~[?:?]
	at org.elasticsearch.repositories.s3.S3BlobStore.<init>(S3BlobStore.java:72) ~[?:?]
	at org.elasticsearch.repositories.s3.S3Repository.createBlobStore(S3Repository.java:251) ~[?:?]
	at org.elasticsearch.repositories.s3.S3Repository.createBlobStore(S3Repository.java:53) ~[?:?]
	at org.elasticsearch.repositories.blobstore.BlobStoreRepository.blobStore(BlobStoreRepository.java:332) ~[elasticsearch-6.5.0.jar:6.5.0]
	... 7 more
Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: DC6E1322FC074F4D; S3 Extended Request ID: 5TQW/Gei9Pgu37au6QcydkRIzqiNIhZJwVsZtGJa/MfYlCcylkNm+hLRF7l4DnjiYrN6JanxzU8=)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1658) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1322) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1072) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:745) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651) ~[?:?]
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515) ~[?:?]
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4443) ~[?:?]
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4390) ~[?:?]
	at com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1354) ~[?:?]
	at org.elasticsearch.repositories.s3.S3BlobStore.lambda$new$0(S3BlobStore.java:74) ~[?:?]
	at org.elasticsearch.repositories.s3.SocketAccess.lambda$doPrivilegedVoid$0(SocketAccess.java:57) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
	at org.elasticsearch.repositories.s3.SocketAccess.doPrivilegedVoid(SocketAccess.java:56) ~[?:?]
	at org.elasticsearch.repositories.s3.S3BlobStore.<init>(S3BlobStore.java:72) ~[?:?]
	at org.elasticsearch.repositories.s3.S3Repository.createBlobStore(S3Repository.java:251) ~[?:?]
	at org.elasticsearch.repositories.s3.S3Repository.createBlobStore(S3Repository.java:53) ~[?:?]
	at org.elasticsearch.repositories.blobstore.BlobStoreRepository.blobStore(BlobStoreRepository.java:332) ~[elasticsearch-6.5.0.jar:6.5.0]
	... 7 more

[ywelsch]

Thanks for looking into this @DaveCTurner. The new check is indeed no longer within the bounds of this policy. As I don't think we should extend the policy to allow require list access on the root dir (which head bucket requires, see https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketHEAD.html), I'm going to revert the problematic PR (see #35732). I have also worked on a long-term fix that will allow us to completely get rid of this check (see #35731). We will also have to look at beefing up our third-party tests to catch this by using a stricter policy.

[isanjaykp]

@ywelsch, does this issue resolved ? I have installed the plugin on 01/02/2019 and I am still getting access issue for S3 repository plugin in 6.5.0 .

[ywelsch]

@isanjaykp This is fixed in 6.5.2 (see #35732).