ClickHouse/src/IO/S3Common.cpp

#include <IO/S3Common.h>

#include <Common/Exception.h>
#include <Common/StringUtils.h>
#include <Poco/Util/AbstractConfiguration.h>

#include "config.h"

#if USE_AWS_S3

#    include <IO/HTTPHeaderEntries.h>
#    include <IO/S3/Client.h>
#    include <IO/S3/Requests.h>
#    include <Common/quoteString.h>
#    include <Common/logger_useful.h>


namespace ProfileEvents
{
    extern const Event S3GetObjectAttributes;
    extern const Event S3GetObjectMetadata;
    extern const Event S3HeadObject;
    extern const Event DiskS3GetObjectAttributes;
    extern const Event DiskS3GetObjectMetadata;
    extern const Event DiskS3HeadObject;
}

namespace DB
{

bool S3Exception::isRetryableError() const
{
    /// Looks like these list is quite conservative, add more codes if you wish
    static const std::unordered_set<Aws::S3::S3Errors> unretryable_errors = {
        Aws::S3::S3Errors::NO_SUCH_KEY,
        Aws::S3::S3Errors::ACCESS_DENIED,
        Aws::S3::S3Errors::INVALID_ACCESS_KEY_ID,
        Aws::S3::S3Errors::INVALID_SIGNATURE,
        Aws::S3::S3Errors::NO_SUCH_UPLOAD,
        Aws::S3::S3Errors::NO_SUCH_BUCKET,
    };

    return !unretryable_errors.contains(code);
}

}

namespace DB::ErrorCodes
{
    extern const int S3_ERROR;
}

#endif

namespace DB
{

namespace ErrorCodes
{
    extern const int INVALID_CONFIG_PARAMETER;
}

namespace S3
{

HTTPHeaderEntries getHTTPHeaders(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)
{
    HTTPHeaderEntries headers;
    Poco::Util::AbstractConfiguration::Keys subconfig_keys;
    config.keys(config_elem, subconfig_keys);
    for (const std::string & subkey : subconfig_keys)
    {
        if (subkey.starts_with("header"))
        {
            auto header_str = config.getString(config_elem + "." + subkey);
            auto delimiter = header_str.find(':');
            if (delimiter == std::string::npos)
                throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Malformed s3 header value");
            headers.emplace_back(header_str.substr(0, delimiter), header_str.substr(delimiter + 1, String::npos));
        }
    }
    return headers;
}

ServerSideEncryptionKMSConfig getSSEKMSConfig(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)
{
    ServerSideEncryptionKMSConfig sse_kms_config;

    if (config.has(config_elem + ".server_side_encryption_kms_key_id"))
        sse_kms_config.key_id = config.getString(config_elem + ".server_side_encryption_kms_key_id");

    if (config.has(config_elem + ".server_side_encryption_kms_encryption_context"))
        sse_kms_config.encryption_context = config.getString(config_elem + ".server_side_encryption_kms_encryption_context");

    if (config.has(config_elem + ".server_side_encryption_kms_bucket_key_enabled"))
        sse_kms_config.bucket_key_enabled = config.getBool(config_elem + ".server_side_encryption_kms_bucket_key_enabled");

    return sse_kms_config;
}

AuthSettings AuthSettings::loadFromConfig(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)
{
    auto access_key_id = config.getString(config_elem + ".access_key_id", "");
    auto secret_access_key = config.getString(config_elem + ".secret_access_key", "");
    auto session_token = config.getString(config_elem + ".session_token", "");

    auto region = config.getString(config_elem + ".region", "");
    auto server_side_encryption_customer_key_base64 = config.getString(config_elem + ".server_side_encryption_customer_key_base64", "");

    std::optional<bool> use_environment_credentials;
    if (config.has(config_elem + ".use_environment_credentials"))
        use_environment_credentials = config.getBool(config_elem + ".use_environment_credentials");

    std::optional<bool> use_insecure_imds_request;
    if (config.has(config_elem + ".use_insecure_imds_request"))
        use_insecure_imds_request = config.getBool(config_elem + ".use_insecure_imds_request");

    std::optional<uint64_t> expiration_window_seconds;
    if (config.has(config_elem + ".expiration_window_seconds"))
        expiration_window_seconds = config.getUInt64(config_elem + ".expiration_window_seconds");

    std::optional<bool> no_sign_request;
    if (config.has(config_elem + ".no_sign_request"))
        no_sign_request = config.getBool(config_elem + ".no_sign_request");

    HTTPHeaderEntries headers = getHTTPHeaders(config_elem, config);
    ServerSideEncryptionKMSConfig sse_kms_config = getSSEKMSConfig(config_elem, config);

    std::unordered_set<std::string> users;
    Poco::Util::AbstractConfiguration::Keys keys;
    config.keys(config_elem, keys);
    for (const auto & key : keys)
    {
        if (startsWith(key, "user"))
            users.insert(config.getString(config_elem + "." + key));
    }

    return AuthSettings
    {
        std::move(access_key_id), std::move(secret_access_key), std::move(session_token),
        std::move(region),
        std::move(server_side_encryption_customer_key_base64),
        std::move(sse_kms_config),
        std::move(headers),
        use_environment_credentials,
        use_insecure_imds_request,
        expiration_window_seconds,
        no_sign_request,
        std::move(users)
    };
}

bool AuthSettings::canBeUsedByUser(const String & user) const
{
    return users.empty() || users.contains(user);
}

bool AuthSettings::hasUpdates(const AuthSettings & other) const
{
    AuthSettings copy = *this;
    copy.updateFrom(other);
    return *this != copy;
}

void AuthSettings::updateFrom(const AuthSettings & from)
{
    /// Update with check for emptyness only parameters which
    /// can be passed not only from config, but via ast.

    if (!from.access_key_id.empty())
        access_key_id = from.access_key_id;
    if (!from.secret_access_key.empty())
        secret_access_key = from.secret_access_key;
    if (!from.session_token.empty())
        session_token = from.session_token;

    if (!from.headers.empty())
        headers = from.headers;
    if (!from.region.empty())
        region = from.region;

    server_side_encryption_customer_key_base64 = from.server_side_encryption_customer_key_base64;
    server_side_encryption_kms_config = from.server_side_encryption_kms_config;

    if (from.use_environment_credentials.has_value())
        use_environment_credentials = from.use_environment_credentials;

    if (from.use_insecure_imds_request.has_value())
        use_insecure_imds_request = from.use_insecure_imds_request;

    if (from.expiration_window_seconds.has_value())
        expiration_window_seconds = from.expiration_window_seconds;

    if (from.no_sign_request.has_value())
        no_sign_request = from.no_sign_request;

    users.insert(from.users.begin(), from.users.end());
}

}
}
enable S3 if client is built 2022-09-15 14:06:22 +00:00			`#include <IO/S3Common.h>`
AWS SDK integration rework. 2019-12-06 14:37:21 +00:00
enable S3 if client is built 2022-09-15 14:06:22 +00:00			`#include <Common/Exception.h>`
Move StringUtils.h/cpp back to Common/ 2024-05-19 08:02:06 +00:00			`#include <Common/StringUtils.h>`
Fix build 2022-09-15 10:11:09 +00:00			`#include <Poco/Util/AbstractConfiguration.h>`
Support specifying users for s3 settings 2024-02-19 15:11:29 +00:00
Generate config.h into ${CONFIG_INCLUDE_PATH} This makes the target location consistent with other auto-generated files like config_formats.h, config_core.h, and config_functions.h and simplifies the build of clickhouse_common. 2022-09-28 08:45:15 +00:00			`#include "config.h"`
Fix build 2022-09-15 10:11:09 +00:00
AWS SDK integration rework. 2019-12-06 14:37:21 +00:00			`#if USE_AWS_S3`

Replace old named collections code for url 2022-12-16 22:57:09 +00:00			`# include <IO/HTTPHeaderEntries.h>`
Define S3 client with bucket and endpoint resolution (#45783) * Update aws * Define S3 client with bucket and endpoint resolution * Add defines for ErrorCodes * Use S3Client everywhere * Remove unused errorcode * Add DROP S3 CLIENT CACHE query * Add a comment * Fix style * Update aws * Update reference files * Add missing include * Fix unit test * Remove unneeded declarations * Correctly use RetryStrategy * Rename S3Client to Client * Fix retry count * fix clang-tidy warnings 2023-02-03 13:30:52 +00:00			`# include <IO/S3/Client.h>`
			`# include <IO/S3/Requests.h>`
fix and test that S3Clients reused 2024-01-07 01:16:29 +00:00			`# include <Common/quoteString.h>`
base should not depend on Common 2022-04-27 15:05:45 +00:00			`# include <Common/logger_useful.h>`
Attempt to add S3 authentication. 2019-11-05 07:54:13 +00:00
Attempt to resolve nullptr in STS credentials provider for S3. 2021-11-08 07:59:43 +00:00
fix issues 2022-09-19 18:40:32 +00:00			`namespace ProfileEvents`
			`{`
Stop using HeadObject requests in S3 because they don't work well with endpoints without explicit region. 2023-01-14 02:17:31 +00:00			`extern const Event S3GetObjectAttributes;`
			`extern const Event S3GetObjectMetadata;`
fix issues 2022-09-19 18:40:32 +00:00			`extern const Event S3HeadObject;`
More complex logic: GetObjectAttributes requests will be used only if the endpoint is "*.amazonaws.com", otherwise HeadObject requests will be used. 2023-01-16 19:14:39 +00:00			`extern const Event DiskS3GetObjectAttributes;`
Stop using HeadObject requests in S3 because they don't work well with endpoints without explicit region. 2023-01-14 02:17:31 +00:00			`extern const Event DiskS3GetObjectMetadata;`
fix issues 2022-09-19 18:40:32 +00:00			`extern const Event DiskS3HeadObject;`
			`}`

Better exception handling for ReadBufferFromS3 2022-09-06 11:59:55 +00:00			`namespace DB`
			`{`

			`bool S3Exception::isRetryableError() const`
			`{`
			`/// Looks like these list is quite conservative, add more codes if you wish`
			`static const std::unordered_set<Aws::S3::S3Errors> unretryable_errors = {`
			`Aws::S3::S3Errors::NO_SUCH_KEY,`
			`Aws::S3::S3Errors::ACCESS_DENIED,`
			`Aws::S3::S3Errors::INVALID_ACCESS_KEY_ID,`
			`Aws::S3::S3Errors::INVALID_SIGNATURE,`
			`Aws::S3::S3Errors::NO_SUCH_UPLOAD,`
			`Aws::S3::S3Errors::NO_SUCH_BUCKET,`
			`};`

			`return !unretryable_errors.contains(code);`
			`}`

			`}`

Split S3Common into multiple files 2023-02-13 12:28:04 +00:00			`namespace DB::ErrorCodes`
AWS SDK integration formatting issues. 2019-12-06 15:14:39 +00:00			`{`
Add ParallelReadBuffer for S3 2022-03-21 14:52:26 +00:00			`extern const int S3_ERROR;`
Fixed bug in #7623 2019-12-03 01:22:25 +00:00			`}`

Fix build 2022-09-15 10:11:09 +00:00			`#endif`
Basic implementation for S3 snapshot upload 2022-09-15 07:45:28 +00:00
Fix build 2022-09-15 10:11:09 +00:00			`namespace DB`
			`{`
Basic implementation for S3 snapshot upload 2022-09-15 07:45:28 +00:00
Fix build 2022-09-15 10:11:09 +00:00			`namespace ErrorCodes`
			`{`
			`extern const int INVALID_CONFIG_PARAMETER;`
Attempt to add S3 authentication. 2019-11-05 07:54:13 +00:00			`}`

Fix build 2022-09-15 10:11:09 +00:00			`namespace S3`
			`{`

Support "header" setting in S3 disk config The S3 table engine supports specifying extra HTTP headers in S3 requests to certain endpoints, via the "headers" setting. This commit adds the same setting to S3 disk config. 2023-04-12 16:59:37 +00:00			`HTTPHeaderEntries getHTTPHeaders(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)`
			`{`
			`HTTPHeaderEntries headers;`
			`Poco::Util::AbstractConfiguration::Keys subconfig_keys;`
			`config.keys(config_elem, subconfig_keys);`
			`for (const std::string & subkey : subconfig_keys)`
			`{`
			`if (subkey.starts_with("header"))`
			`{`
			`auto header_str = config.getString(config_elem + "." + subkey);`
			`auto delimiter = header_str.find(':');`
			`if (delimiter == std::string::npos)`
			`throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Malformed s3 header value");`
			`headers.emplace_back(header_str.substr(0, delimiter), header_str.substr(delimiter + 1, String::npos));`
			`}`
			`}`
			`return headers;`
			`}`

Add support for SSE-KMS configuration with S3 https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html Similar to the server_side_encryption_customer_key_base64 option for configuring SSE-C with S3, add the following settings to configure SSE-KMS on a per-endpoint/disk basis: - server_side_encryption_kms_key_id - server_side_encryption_kms_encryption_context - server_side_encryption_kms_bucket_key_enabled 2023-04-12 17:01:07 +00:00			`ServerSideEncryptionKMSConfig getSSEKMSConfig(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)`
			`{`
			`ServerSideEncryptionKMSConfig sse_kms_config;`

			`if (config.has(config_elem + ".server_side_encryption_kms_key_id"))`
			`sse_kms_config.key_id = config.getString(config_elem + ".server_side_encryption_kms_key_id");`

			`if (config.has(config_elem + ".server_side_encryption_kms_encryption_context"))`
			`sse_kms_config.encryption_context = config.getString(config_elem + ".server_side_encryption_kms_encryption_context");`

			`if (config.has(config_elem + ".server_side_encryption_kms_bucket_key_enabled"))`
			`sse_kms_config.bucket_key_enabled = config.getBool(config_elem + ".server_side_encryption_kms_bucket_key_enabled");`

			`return sse_kms_config;`
			`}`

enable S3 if client is built 2022-09-15 14:06:22 +00:00			`AuthSettings AuthSettings::loadFromConfig(const std::string & config_elem, const Poco::Util::AbstractConfiguration & config)`
Fix build 2022-09-15 10:11:09 +00:00			`{`
			`auto access_key_id = config.getString(config_elem + ".access_key_id", "");`
			`auto secret_access_key = config.getString(config_elem + ".secret_access_key", "");`
S3Common.AuthSettings: Allow passing SESSION_TOKEN to AWSCredentials This sets the infrastructure of loading session_token and passing it directly to all AWSCredentials instances that are created using the AuthSettings. The default SESSION_TOKEN is set to an empty string as documented in AWS SDK reference: https://sdk.amazonaws.com/cpp/api/0.12.9/d4/d27/class_aws_1_1_auth_1_1_a_w_s_credentials.html 2023-12-14 08:02:21 +00:00			`auto session_token = config.getString(config_elem + ".session_token", "");`

Fix build 2022-09-15 10:11:09 +00:00			`auto region = config.getString(config_elem + ".region", "");`
			`auto server_side_encryption_customer_key_base64 = config.getString(config_elem + ".server_side_encryption_customer_key_base64", "");`

			`std::optional<bool> use_environment_credentials;`
			`if (config.has(config_elem + ".use_environment_credentials"))`
			`use_environment_credentials = config.getBool(config_elem + ".use_environment_credentials");`

			`std::optional<bool> use_insecure_imds_request;`
			`if (config.has(config_elem + ".use_insecure_imds_request"))`
			`use_insecure_imds_request = config.getBool(config_elem + ".use_insecure_imds_request");`

Add expiration window for S3 credentials 2023-03-10 10:06:32 +00:00			`std::optional<uint64_t> expiration_window_seconds;`
			`if (config.has(config_elem + ".expiration_window_seconds"))`
			`expiration_window_seconds = config.getUInt64(config_elem + ".expiration_window_seconds");`

Add support for NOSIGN keyword and no_sign_request config 2023-03-27 14:44:34 +00:00			`std::optional<bool> no_sign_request;`
			`if (config.has(config_elem + ".no_sign_request"))`
			`no_sign_request = config.getBool(config_elem + ".no_sign_request");`

Support "header" setting in S3 disk config The S3 table engine supports specifying extra HTTP headers in S3 requests to certain endpoints, via the "headers" setting. This commit adds the same setting to S3 disk config. 2023-04-12 16:59:37 +00:00			`HTTPHeaderEntries headers = getHTTPHeaders(config_elem, config);`
Add support for SSE-KMS configuration with S3 https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html Similar to the server_side_encryption_customer_key_base64 option for configuring SSE-C with S3, add the following settings to configure SSE-KMS on a per-endpoint/disk basis: - server_side_encryption_kms_key_id - server_side_encryption_kms_encryption_context - server_side_encryption_kms_bucket_key_enabled 2023-04-12 17:01:07 +00:00			`ServerSideEncryptionKMSConfig sse_kms_config = getSSEKMSConfig(config_elem, config);`
Fix build 2022-09-15 10:11:09 +00:00
Support specifying users for s3 settings 2024-02-19 15:11:29 +00:00			`std::unordered_set<std::string> users;`
			`Poco::Util::AbstractConfiguration::Keys keys;`
			`config.keys(config_elem, keys);`
			`for (const auto & key : keys)`
			`{`
			`if (startsWith(key, "user"))`
			`users.insert(config.getString(config_elem + "." + key));`
			`}`

Fix build 2022-09-15 10:11:09 +00:00			`return AuthSettings`
			`{`
S3Common.AuthSettings: Allow passing SESSION_TOKEN to AWSCredentials This sets the infrastructure of loading session_token and passing it directly to all AWSCredentials instances that are created using the AuthSettings. The default SESSION_TOKEN is set to an empty string as documented in AWS SDK reference: https://sdk.amazonaws.com/cpp/api/0.12.9/d4/d27/class_aws_1_1_auth_1_1_a_w_s_credentials.html 2023-12-14 08:02:21 +00:00			`std::move(access_key_id), std::move(secret_access_key), std::move(session_token),`
Fix build 2022-09-15 10:11:09 +00:00			`std::move(region),`
			`std::move(server_side_encryption_customer_key_base64),`
Add support for SSE-KMS configuration with S3 https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html Similar to the server_side_encryption_customer_key_base64 option for configuring SSE-C with S3, add the following settings to configure SSE-KMS on a per-endpoint/disk basis: - server_side_encryption_kms_key_id - server_side_encryption_kms_encryption_context - server_side_encryption_kms_bucket_key_enabled 2023-04-12 17:01:07 +00:00			`std::move(sse_kms_config),`
Fix build 2022-09-15 10:11:09 +00:00			`std::move(headers),`
			`use_environment_credentials,`
Add expiration window for S3 credentials 2023-03-10 10:06:32 +00:00			`use_insecure_imds_request,`
Add support for NOSIGN keyword and no_sign_request config 2023-03-27 14:44:34 +00:00			`expiration_window_seconds,`
Support specifying users for s3 settings 2024-02-19 15:11:29 +00:00			`no_sign_request,`
			`std::move(users)`
Fix build 2022-09-15 10:11:09 +00:00			`};`
Fixed tests and logic of authorization in S3. 2019-12-01 11:24:55 +00:00			`}`
AWS SDK integration rework. 2019-12-06 14:37:21 +00:00
Support specifying users for s3 settings 2024-02-19 15:11:29 +00:00			`bool AuthSettings::canBeUsedByUser(const String & user) const`
			`{`
			`return users.empty() \|\| users.contains(user);`
			`}`

fix and test that S3Clients reused 2024-01-07 01:16:29 +00:00			`bool AuthSettings::hasUpdates(const AuthSettings & other) const`
			`{`
			`AuthSettings copy = *this;`
			`copy.updateFrom(other);`
fix auth_settings.hasUpdates function 2024-01-07 22:00:26 +00:00			`return *this != copy;`
fix and test that S3Clients reused 2024-01-07 01:16:29 +00:00			`}`
Merge branch 'master' into keeper-upload-snapshot-to-s3 2022-09-27 07:28:26 +00:00
			`void AuthSettings::updateFrom(const AuthSettings & from)`
			`{`
			`/// Update with check for emptyness only parameters which`
			`/// can be passed not only from config, but via ast.`

			`if (!from.access_key_id.empty())`
			`access_key_id = from.access_key_id;`
			`if (!from.secret_access_key.empty())`
			`secret_access_key = from.secret_access_key;`
S3Common.AuthSettings: Allow passing SESSION_TOKEN to AWSCredentials This sets the infrastructure of loading session_token and passing it directly to all AWSCredentials instances that are created using the AuthSettings. The default SESSION_TOKEN is set to an empty string as documented in AWS SDK reference: https://sdk.amazonaws.com/cpp/api/0.12.9/d4/d27/class_aws_1_1_auth_1_1_a_w_s_credentials.html 2023-12-14 08:02:21 +00:00			`if (!from.session_token.empty())`
			`session_token = from.session_token;`
Merge branch 'master' into keeper-upload-snapshot-to-s3 2022-09-27 07:28:26 +00:00
Fixes after merge with master, move some part of code to object storage 2024-02-19 09:45:56 +00:00			`if (!from.headers.empty())`
			`headers = from.headers;`
			`if (!from.region.empty())`
			`region = from.region;`

Merge branch 'master' into keeper-upload-snapshot-to-s3 2022-09-27 07:28:26 +00:00			`server_side_encryption_customer_key_base64 = from.server_side_encryption_customer_key_base64;`
Add support for SSE-KMS configuration with S3 https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html Similar to the server_side_encryption_customer_key_base64 option for configuring SSE-C with S3, add the following settings to configure SSE-KMS on a per-endpoint/disk basis: - server_side_encryption_kms_key_id - server_side_encryption_kms_encryption_context - server_side_encryption_kms_bucket_key_enabled 2023-04-12 17:01:07 +00:00			`server_side_encryption_kms_config = from.server_side_encryption_kms_config;`
Address PR comments 2023-03-29 11:08:44 +00:00
better 2023-03-29 12:54:57 +00:00			`if (from.use_environment_credentials.has_value())`
Address PR comments 2023-03-29 11:08:44 +00:00			`use_environment_credentials = from.use_environment_credentials;`

better 2023-03-29 12:54:57 +00:00			`if (from.use_insecure_imds_request.has_value())`
Address PR comments 2023-03-29 11:08:44 +00:00			`use_insecure_imds_request = from.use_insecure_imds_request;`

better 2023-03-29 12:54:57 +00:00			`if (from.expiration_window_seconds.has_value())`
Address PR comments 2023-03-29 11:08:44 +00:00			`expiration_window_seconds = from.expiration_window_seconds;`
Add support for NOSIGN keyword and no_sign_request config 2023-03-27 14:44:34 +00:00
			`if (from.no_sign_request.has_value())`
fix and test that S3Clients reused 2024-01-07 01:16:29 +00:00			`no_sign_request = from.no_sign_request;`
Support specifying users for s3 settings 2024-02-19 15:11:29 +00:00
			`users.insert(from.users.begin(), from.users.end());`
Merge branch 'master' into keeper-upload-snapshot-to-s3 2022-09-27 07:28:26 +00:00			`}`

Fix build 2022-09-15 10:11:09 +00:00			`}`
			`}`