Make S3 custom query parameter optional

Today Elasticsearch will record the purpose for each request to S3 using
a custom query parameter. This isn't believed to be necessary outside of
the ECH/ECE/ECK/... managed services, and it adds rather a lot to the
request logs, so with this commit we make the feature optional and
disabled by default.

Author: DaveCTurner

modules/repository-s3/src/internalClusterTest/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java

@@ -135,6 +135,7 @@ protected Settings repositorySettings(String repoName) {
             .put(super.repositorySettings(repoName))
             .put(S3Repository.BUCKET_SETTING.getKey(), "bucket")
             .put(S3Repository.CLIENT_NAME.getKey(), "test")
+            .put(S3Repository.ADD_PURPOSE_CUSTOM_QUERY_PARAMETER_SETTING.getKey(), true)
             // Don't cache repository data because some tests manually modify the repository data
             .put(BlobStoreRepository.CACHE_REPOSITORY_DATA.getKey(), false);
         if (randomBoolean()) {

modules/repository-s3/src/javaRestTest/java/org/elasticsearch/repositories/s3/AbstractRepositoryS3RestTestCase.java

@@ -59,6 +59,7 @@ private Request getRegisterRequest(UnaryOperator<Settings> settingsUnaryOperator
                                 .put("canned_acl", "private")
                                 .put("storage_class", "standard")
                                 .put("disable_chunked_encoding", randomBoolean())
+                                .put("add_purpose_custom_query_parameter", randomBoolean())
                                 .build()
                         )
                     )

modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3BlobContainer.java

@@ -1153,9 +1153,7 @@ ActionListener<Void> getMultipartUploadCleanupListener(int maxUploads, RefCounti
                 .prefix(keyPath)
                 .maxUploads(maxUploads)
                 // TODO adjust to use S3BlobStore.configureRequestForMetrics, adding metrics collection
-                .overrideConfiguration(
-                    b -> b.putRawQueryParameter(S3BlobStore.CUSTOM_QUERY_PARAMETER_PURPOSE, OperationPurpose.SNAPSHOT_DATA.getKey())
-                )
+                .overrideConfiguration(b -> blobStore.addPurposeQueryParameter(OperationPurpose.SNAPSHOT_DATA, b))
                 .build();
             final var multipartUploadListing = clientReference.client().listMultipartUploads(listMultipartUploadsRequest);
             final var multipartUploads = multipartUploadListing.uploads();
@@ -1184,12 +1182,7 @@ ActionListener<Void> getMultipartUploadCleanupListener(int maxUploads, RefCounti
                             .key(u.key())
                             .uploadId(u.uploadId())
                             // TODO adjust to use S3BlobStore.configureRequestForMetrics, adding metrics collection
-                            .overrideConfiguration(
-                                b -> b.putRawQueryParameter(
-                                    S3BlobStore.CUSTOM_QUERY_PARAMETER_PURPOSE,
-                                    OperationPurpose.SNAPSHOT_DATA.getKey()
-                                )
-                            )
+                            .overrideConfiguration(b -> blobStore.addPurposeQueryParameter(OperationPurpose.SNAPSHOT_DATA, b))
                             .build()
                     )
                 );

modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3BlobStore.java

@@ -10,6 +10,7 @@
 package org.elasticsearch.repositories.s3;
 
 import software.amazon.awssdk.awscore.AwsRequest;
+import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
 import software.amazon.awssdk.core.exception.SdkException;
 import software.amazon.awssdk.core.metrics.CoreMetric;
 import software.amazon.awssdk.core.retry.RetryUtils;
@@ -58,6 +59,8 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
+import static org.elasticsearch.repositories.s3.S3Repository.ADD_PURPOSE_CUSTOM_QUERY_PARAMETER_SETTING;
+
 class S3BlobStore implements BlobStore {
 
     public static final String CUSTOM_QUERY_PARAMETER_COPY_SOURCE = "x-amz-copy-source";
@@ -102,6 +105,8 @@ class S3BlobStore implements BlobStore {
 
     private final TimeValue getRegisterRetryDelay;
 
+    private final boolean addPurposeCustomQueryParameter;
+
     S3BlobStore(
         S3Service service,
         String bucket,
@@ -131,6 +136,7 @@ class S3BlobStore implements BlobStore {
         this.bulkDeletionBatchSize = S3Repository.DELETION_BATCH_SIZE_SETTING.get(repositoryMetadata.settings());
         this.retryThrottledDeleteBackoffPolicy = retryThrottledDeleteBackoffPolicy;
         this.getRegisterRetryDelay = S3Repository.GET_REGISTER_RETRY_DELAY.get(repositoryMetadata.settings());
+        this.addPurposeCustomQueryParameter = ADD_PURPOSE_CUSTOM_QUERY_PARAMETER_SETTING.get(repositoryMetadata.settings());
     }
 
     MetricPublisher getMetricPublisher(Operation operation, OperationPurpose purpose) {
@@ -600,9 +606,17 @@ static void configureRequestForMetrics(
         Operation operation,
         OperationPurpose purpose
     ) {
-        request.overrideConfiguration(
-            builder -> builder.metricPublishers(List.of(blobStore.getMetricPublisher(operation, purpose)))
-                .putRawQueryParameter(CUSTOM_QUERY_PARAMETER_PURPOSE, purpose.getKey())
-        );
+        request.overrideConfiguration(builder -> {
+            builder.metricPublishers(List.of(blobStore.getMetricPublisher(operation, purpose)));
+            blobStore.addPurposeQueryParameter(purpose, builder);
+        });
+    }
+
+    public void addPurposeQueryParameter(OperationPurpose purpose, AwsRequestOverrideConfiguration.Builder builder) {
+        if (addPurposeCustomQueryParameter || purpose == OperationPurpose.REPOSITORY_ANALYSIS) {
+            // REPOSITORY_ANALYSIS is a strict check for 100% S3 compatibility, including custom query parameter support, so is always added
+            builder.putRawQueryParameter(CUSTOM_QUERY_PARAMETER_PURPOSE, purpose.getKey());
+        }
     }
+
 }

modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Repository.java

@@ -21,6 +21,7 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.blobstore.BlobPath;
 import org.elasticsearch.common.blobstore.BlobStore;
+import org.elasticsearch.common.blobstore.OperationPurpose;
 import org.elasticsearch.common.logging.DeprecationCategory;
 import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.settings.SecureSetting;
@@ -245,6 +246,14 @@ class S3Repository extends MeteredBlobStoreRepository {
         Setting.Property.Dynamic
     );
 
+    /**
+     * Whether to include {@link OperationPurpose#getKey()} as a custom query parameter on all operations.
+     */
+    static final Setting<Boolean> ADD_PURPOSE_CUSTOM_QUERY_PARAMETER_SETTING = Setting.boolSetting(
+        "add_purpose_custom_query_parameter",
+        false
+    );
+
     private final S3Service service;
 
     private final String bucket;

modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/AddPurposeCustomQueryParameterTests.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.repositories.s3;
+
+import fixture.s3.S3HttpFixture;
+import fixture.s3.S3HttpHandler;
+
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+
+import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryRequest;
+import org.elasticsearch.action.admin.cluster.repositories.put.TransportPutRepositoryAction;
+import org.elasticsearch.action.admin.cluster.snapshots.create.CreateSnapshotRequest;
+import org.elasticsearch.action.admin.cluster.snapshots.create.TransportCreateSnapshotAction;
+import org.elasticsearch.common.settings.MockSecureSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.CollectionUtils;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.snapshots.SnapshotState;
+import org.elasticsearch.test.ESSingleNodeTestCase;
+import org.hamcrest.Matcher;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
+
+import java.io.IOException;
+import java.util.Collection;
+
+import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.not;
+
+public class AddPurposeCustomQueryParameterTests extends ESSingleNodeTestCase {
+
+    @Override
+    protected Collection<Class<? extends Plugin>> getPlugins() {
+        return CollectionUtils.appendToCopyNoNullElements(super.getPlugins(), S3RepositoryPlugin.class);
+    }
+
+    @Override
+    protected Settings nodeSettings() {
+        final var secureSettings = new MockSecureSettings();
+        secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace("default").getKey(), "test_access_key");
+        secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("default").getKey(), "test_secret_key");
+
+        return Settings.builder()
+            .put(super.nodeSettings())
+            .put(S3ClientSettings.REGION.getConcreteSettingForNamespace("default").getKey(), "es-test-region")
+            .setSecureSettings(secureSettings)
+            .build();
+    }
+
+    public void testCustomQueryParameterConfiguration() throws Throwable {
+        final var indexName = randomIdentifier();
+        createIndex(indexName);
+        prepareIndex(indexName).setSource("foo", "bar").get();
+
+        final var bucket = randomIdentifier();
+        final var basePath = randomIdentifier();
+
+        runWithFixture(
+            Settings.builder().put("bucket", bucket).put("base_path", basePath).build(), // defaults to omitting the custom params
+            not(hasItem(S3BlobStore.CUSTOM_QUERY_PARAMETER_PURPOSE))
+        );
+
+        runWithFixture(
+            Settings.builder().put("bucket", bucket).put("base_path", basePath).put("add_purpose_custom_query_parameter", false).build(),
+            not(hasItem(S3BlobStore.CUSTOM_QUERY_PARAMETER_PURPOSE))
+        );
+
+        runWithFixture(
+            Settings.builder().put("bucket", bucket).put("base_path", basePath).put("add_purpose_custom_query_parameter", true).build(),
+            hasItem(S3BlobStore.CUSTOM_QUERY_PARAMETER_PURPOSE)
+        );
+    }
+
+    private void runWithFixture(Settings repositorySettings, Matcher<Iterable<? super String>> queryParamMatcher) throws Throwable {
+        final var bucket = repositorySettings.get("bucket");
+        final var basePath = repositorySettings.get("base_path");
+        final var httpFixture = new S3HttpFixture(true, bucket, basePath, (key, token) -> true) {
+            @Override
+            protected HttpHandler createHandler() {
+                return new S3HttpHandler(bucket, basePath) {
+                    @Override
+                    public void handle(HttpExchange exchange) throws IOException {
+                        assertThat(parseRequest(exchange).queryParameters().keySet(), queryParamMatcher);
+                        super.handle(exchange);
+                    }
+                };
+            }
+        };
+        httpFixture.apply(new Statement() {
+            @Override
+            public void evaluate() {
+                final var repoName = randomIdentifier();
+                assertAcked(
+                    client().execute(
+                        TransportPutRepositoryAction.TYPE,
+                        new PutRepositoryRequest(TEST_REQUEST_TIMEOUT, TEST_REQUEST_TIMEOUT, repoName).type(S3Repository.TYPE)
+                            .settings(Settings.builder().put("endpoint", httpFixture.getAddress()).put(repositorySettings))
+                    )
+                );
+
+                assertEquals(
+                    SnapshotState.SUCCESS,
+                    client().execute(
+                        TransportCreateSnapshotAction.TYPE,
+                        new CreateSnapshotRequest(TEST_REQUEST_TIMEOUT, repoName, randomIdentifier()).waitForCompletion(true)
+                    ).actionGet(SAFE_AWAIT_TIMEOUT).getSnapshotInfo().state()
+                );
+            }
+        }, Description.EMPTY).evaluate();
+    }
+
+}

x-pack/plugin/snapshot-repo-test-kit/qa/s3/src/javaRestTest/java/org/elasticsearch/repositories/blobstore/testkit/analyze/S3RepositoryAnalysisRestIT.java

@@ -8,7 +8,11 @@
 
 import fixture.aws.DynamicRegionSupplier;
 import fixture.s3.S3HttpFixture;
+import fixture.s3.S3HttpHandler;
 
+import com.sun.net.httpserver.HttpHandler;
+
+import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.ByteSizeValue;
 import org.elasticsearch.test.cluster.ElasticsearchCluster;
@@ -17,6 +21,7 @@
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
 
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
 
 import static fixture.aws.AwsCredentialsUtils.fixedAccessKey;
@@ -33,7 +38,39 @@ public class S3RepositoryAnalysisRestIT extends AbstractRepositoryAnalysisRestTe
         "bucket",
         "base_path_integration_tests",
         fixedAccessKey("s3_test_access_key", regionSupplier, "s3")
-    );
+    ) {
+        @Override
+        protected HttpHandler createHandler() {
+            final var delegateHandler = asInstanceOf(S3HttpHandler.class, super.createHandler());
+            final var repoAnalysisStarted = new AtomicBoolean();
+            return exchange -> {
+                ensurePurposeParameterPresent(delegateHandler.parseRequest(exchange), repoAnalysisStarted);
+                delegateHandler.handle(exchange);
+            };
+        }
+    };
+
+    private static void ensurePurposeParameterPresent(S3HttpHandler.S3Request request, AtomicBoolean repoAnalysisStarted) {
+        if (request.path().startsWith("/bucket/base_path_integration_tests/temp-analysis-")) {
+            repoAnalysisStarted.set(true);
+        }
+        if (repoAnalysisStarted.get() == false) {
+            if (Regex.simpleMatch("/bucket/base_path_integration_tests/tests-*/master.dat", request.path())
+                || Regex.simpleMatch("/bucket/base_path_integration_tests/tests-*/data-*.dat", request.path())
+                || (request.isListObjectsRequest() && request.getQueryParamOnce("prefix").startsWith("base_path_integration_tests/tests-"))
+                || (request.isMultiObjectDeleteRequest())) {
+                // verify repository is not part of repo analysis so will have different/missing x-purpose parameter
+                return;
+            }
+            if (request.isListObjectsRequest() && request.getQueryParamOnce("prefix").equals("base_path_integration_tests/index-")) {
+                // getRepositoryData looking for root index-N blob will have different/missing x-purpose parameter
+                return;
+            }
+        }
+        repoAnalysisStarted.set(true);
+        assertTrue(request.toString(), request.hasQueryParamOnce("x-purpose"));
+        assertEquals(request.toString(), "RepositoryAnalysis", request.getQueryParamOnce("x-purpose"));
+    }
 
     public static ElasticsearchCluster cluster = ElasticsearchCluster.local()
         .distribution(DistributionType.DEFAULT)
@@ -73,6 +110,7 @@ protected Settings repositorySettings() {
             .put("delete_objects_max_size", between(1, 1000))
             .put("buffer_size", ByteSizeValue.ofMb(5)) // so some uploads are multipart ones
             .put("max_copy_size_before_multipart", ByteSizeValue.ofMb(5))
+            .put("add_purpose_custom_query_parameter", randomBoolean())
             .build();
     }
 }