Skip to content

[improvement](s3) Default S3 access to HTTPS#65379

Draft
0AyanamiRei wants to merge 1 commit into
apache:masterfrom
0AyanamiRei:improvement/s3-default-https
Draft

[improvement](s3) Default S3 access to HTTPS#65379
0AyanamiRei wants to merge 1 commit into
apache:masterfrom
0AyanamiRei:improvement/s3-default-https

Conversation

@0AyanamiRei

@0AyanamiRei 0AyanamiRei commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

What problem does this PR solve?

Issue Number: None

Related PR: None

Problem Summary:
Doris object storage access defaulted to plain HTTP in BE and Cloud S3 client configuration. FE endpoint connectivity validation also added http:// when users provided an S3-compatible endpoint without an explicit scheme. Object storage services may disable HTTP and require HTTPS, so deployments that do not explicitly configure a scheme can fail or use an insecure default.

This PR changes the default S3-compatible object storage access scheme to HTTPS. It preserves explicit HTTP fallback for environments that set s3_client_http_scheme=http or provide an http:// endpoint.

Release note

Default S3-compatible object storage access now uses HTTPS unless users explicitly configure HTTP.

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason
  • Behavior changed:

    • No.
    • Yes. Default S3-compatible object storage access changes from HTTP to HTTPS. Explicit HTTP configuration remains supported.
  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

### What problem does this PR solve?

Issue Number: None

Related PR: None

Problem Summary: Doris object storage access defaulted to plain HTTP in BE and Cloud S3 client configuration. FE endpoint connectivity validation also added http:// when users provided an S3-compatible endpoint without an explicit scheme. Object storage services may disable HTTP and require HTTPS, so deployments that do not explicitly configure a scheme can fail or use an insecure default. This change makes Doris default S3-compatible object storage access to HTTPS while preserving explicit HTTP fallback for environments that set s3_client_http_scheme=http or provide an http:// endpoint.

### Release note

Default S3-compatible object storage access now uses HTTPS unless users explicitly configure HTTP.

### Check List (For Author)

- Test: Manual test
    - Ran `git diff --cached --check` successfully before committing.
    - `./run-fe-ut.sh --run org.apache.doris.common.util.S3UtilTest` was attempted but could not run because Homebrew is not installed in this macOS environment.
- Behavior changed: Yes. Default S3-compatible object storage access changes from HTTP to HTTPS. Explicit HTTP configuration remains supported.
- Does this need documentation: No
@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@0AyanamiRei

Copy link
Copy Markdown
Contributor Author

run buildall

@hello-stephen

Copy link
Copy Markdown
Contributor

Cloud UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 77.39% (1896/2450)
Line Coverage 64.43% (34060/52862)
Region Coverage 64.86% (17532/27032)
Branch Coverage 54.05% (9400/17390)

@hello-stephen

Copy link
Copy Markdown
Contributor
TPC-H: Total hot run time: 29438 ms
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 732e20146ec9a764fe5ffbe530f932b13d5e9a20, data reload: false

------ Round 1 ----------------------------------
============================================
q1	17760	4160	4100	4100
q2	2019	315	203	203
q3	10337	1420	837	837
q4	4681	466	334	334
q5	7500	859	587	587
q6	211	180	143	143
q7	796	863	617	617
q8	9906	1590	1505	1505
q9	6080	4383	4365	4365
q10	6841	1798	1553	1553
q11	505	343	313	313
q12	777	551	434	434
q13	18143	3350	2700	2700
q14	284	262	242	242
q15	q16	786	777	714	714
q17	1165	1036	1016	1016
q18	6789	5702	5411	5411
q19	1236	1220	1127	1127
q20	765	688	545	545
q21	5695	2703	2387	2387
q22	429	359	305	305
Total cold run time: 102705 ms
Total hot run time: 29438 ms

----- Round 2, with runtime_filter_mode=off -----
============================================
q1	4535	4472	4482	4472
q2	300	314	211	211
q3	4609	4996	4421	4421
q4	2097	2186	1394	1394
q5	4566	4405	4393	4393
q6	251	193	133	133
q7	2148	1945	1657	1657
q8	2589	2235	2207	2207
q9	8024	7954	7880	7880
q10	4780	4684	4286	4286
q11	575	429	481	429
q12	778	779	550	550
q13	3318	3663	3023	3023
q14	305	309	270	270
q15	q16	730	747	629	629
q17	1391	1370	1422	1370
q18	8412	7366	7151	7151
q19	1105	1067	1083	1067
q20	2223	2207	1945	1945
q21	5342	4735	4525	4525
q22	511	457	429	429
Total cold run time: 58589 ms
Total hot run time: 52442 ms

@hello-stephen

Copy link
Copy Markdown
Contributor
TPC-DS: Total hot run time: 181808 ms
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 732e20146ec9a764fe5ffbe530f932b13d5e9a20, data reload: false

query5	4330	640	493	493
query6	482	224	206	206
query7	4878	639	335	335
query8	369	197	171	171
query9	8784	4176	4146	4146
query10	488	343	295	295
query11	5891	2341	2141	2141
query12	155	106	106	106
query13	1280	644	456	456
query14	6245	5315	4963	4963
query14_1	4327	4293	4293	4293
query15	229	212	193	193
query16	1035	501	453	453
query17	1156	741	598	598
query18	2466	493	370	370
query19	208	199	158	158
query20	115	112	109	109
query21	234	159	131	131
query22	13686	13566	13364	13364
query23	17273	16566	16229	16229
query23_1	16427	16365	16389	16365
query24	7521	1805	1343	1343
query24_1	1332	1326	1344	1326
query25	598	475	406	406
query26	1343	346	214	214
query27	2590	638	391	391
query28	4443	2028	2091	2028
query29	1111	657	520	520
query30	341	266	234	234
query31	1117	1104	988	988
query32	116	65	63	63
query33	539	338	269	269
query34	1179	1196	662	662
query35	787	790	692	692
query36	1405	1449	1313	1313
query37	170	112	100	100
query38	1918	1739	1674	1674
query39	969	994	940	940
query39_1	921	936	931	931
query40	250	165	143	143
query41	69	67	67	67
query42	96	94	93	93
query43	332	348	297	297
query44	1554	832	797	797
query45	207	194	178	178
query46	1133	1212	754	754
query47	2363	2371	2268	2268
query48	408	441	314	314
query49	582	424	321	321
query50	1107	428	337	337
query51	11014	10763	10820	10763
query52	89	91	77	77
query53	275	291	203	203
query54	278	246	246	246
query55	82	79	72	72
query56	308	304	294	294
query57	1444	1419	1345	1345
query58	285	258	249	249
query59	1602	1696	1445	1445
query60	319	269	265	265
query61	156	152	160	152
query62	702	648	596	596
query63	254	204	211	204
query64	2853	1041	880	880
query65	4864	4794	4833	4794
query66	1819	522	420	420
query67	29702	29632	29468	29468
query68	3062	1544	1013	1013
query69	426	320	285	285
query70	1096	1035	978	978
query71	379	336	296	296
query72	3095	2784	2432	2432
query73	802	777	456	456
query74	5126	4985	4796	4796
query75	2633	2614	2237	2237
query76	2327	1212	809	809
query77	374	383	298	298
query78	12407	12318	11753	11753
query79	1460	1204	768	768
query80	1310	532	480	480
query81	531	336	283	283
query82	621	164	120	120
query83	361	335	296	296
query84	282	160	135	135
query85	969	609	523	523
query86	434	321	279	279
query87	1852	1866	1752	1752
query88	3865	2885	2884	2884
query89	456	407	373	373
query90	1917	203	206	203
query91	204	193	172	172
query92	63	64	56	56
query93	1738	1525	998	998
query94	726	364	345	345
query95	792	617	503	503
query96	1097	812	358	358
query97	2700	2722	2530	2530
query98	230	204	203	203
query99	1172	1161	1034	1034
Total cold run time: 267509 ms
Total hot run time: 181808 ms

@hello-stephen

Copy link
Copy Markdown
Contributor

BE UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 56.54% (23209/41051)
Line Coverage 40.10% (225213/561688)
Region Coverage 36.07% (177981/493457)
Branch Coverage 37.09% (79046/213105)

@hello-stephen

Copy link
Copy Markdown
Contributor
ClickBench: Total hot run time: 25.14 s
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 732e20146ec9a764fe5ffbe530f932b13d5e9a20, data reload: false

query1	0.01	0.00	0.00
query2	0.10	0.05	0.05
query3	0.26	0.14	0.13
query4	1.61	0.17	0.14
query5	0.25	0.22	0.22
query6	1.25	1.07	1.09
query7	0.04	0.01	0.01
query8	0.05	0.03	0.03
query9	0.38	0.31	0.31
query10	0.57	0.56	0.56
query11	0.19	0.14	0.14
query12	0.19	0.15	0.14
query13	0.49	0.48	0.47
query14	1.02	0.99	1.02
query15	0.61	0.59	0.61
query16	0.34	0.33	0.33
query17	1.13	1.09	1.14
query18	0.25	0.23	0.23
query19	2.12	1.96	1.99
query20	0.02	0.01	0.01
query21	15.42	0.21	0.14
query22	4.77	0.05	0.06
query23	16.13	0.32	0.12
query24	3.03	0.42	0.32
query25	0.13	0.06	0.04
query26	0.72	0.20	0.14
query27	0.03	0.03	0.03
query28	3.55	0.92	0.55
query29	12.48	4.15	3.30
query30	0.28	0.15	0.16
query31	2.77	0.60	0.31
query32	3.22	0.61	0.49
query33	3.14	3.21	3.17
query34	15.57	4.19	3.51
query35	3.53	3.58	3.56
query36	0.55	0.44	0.43
query37	0.09	0.07	0.07
query38	0.06	0.04	0.04
query39	0.04	0.02	0.02
query40	0.18	0.16	0.14
query41	0.10	0.04	0.04
query42	0.04	0.02	0.02
query43	0.04	0.04	0.03
Total cold run time: 96.75 s
Total hot run time: 25.14 s

@@ -434,6 +430,13 @@ public static void validateAndTestEndpoint(String endpoint) throws UserException
}
}

static String buildEndpointUrl(String endpoint) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One compatibility question: for users on HTTP-only storage with a scheme-less
endpoint like minio.local:9000, would existing loads start failing after upgrade
since it now defaults to HTTPS. If so, might be worth a
release-note callout

@spaces-X

spaces-X commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

/review

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review result: request changes.

Critical checkpoint conclusions:

  • Goal/test: the PR intends scheme-less S3-compatible access to default to HTTPS, but the implementation only updates BE/cloud config defaults plus the S3Util load/TVF validation helper. New S3Util tests cover only that helper path.
  • Scope/focus: the patch is small, but it misses several parallel FE object-storage entry points. The existing GitHub thread about HTTP-only compatibility is already covered and was not duplicated.
  • Parallel paths: resource/vault normalization, external stage validation, DLF Iceberg file IO, and external-catalog S3/Minio connectivity still bypass the new HTTPS-default helper.
  • Config/compatibility: BE/cloud defaults changed to HTTPS, but FE paths can still force or preserve old HTTP behavior inconsistently.
  • Persistence/data flow: S3Resource still persists a forced http:// endpoint into copied properties, which downstream resource, vault, policy, and object-store protobuf paths consume.
  • Concurrency/lifecycle/locking: no new concurrency, lifecycle, or lock-order concerns found in the changed code.
  • Testing/validation: patch-scoped whitespace check passed. FE build/unit tests were not run because this checkout lacks .worktree_initialized, thirdparty/installed, and thirdparty/installed/bin/protoc.
  • User focus: no additional user-provided review focus.

Subagent conclusions: OR-1 was accepted and merged into the inline comment; TSC-1 was a duplicate confirmation with test evidence; OR-2, OR-3, and OR-4 were reported during convergence and merged into the same consolidated finding. Convergence closed in round 3 when both optimizer-rewrite and tests-session-config returned NO_NEW_VALUABLE_FINDINGS for the same ledger/comment set.

if (endpoint.startsWith("http://") || endpoint.startsWith("https://")) {
return endpoint;
}
return "https://" + endpoint;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only changes the load/TVF endpoint validation path, but other scheme-less object-storage endpoints still keep the old HTTP behavior. For example, S3Resource.setProperties() still rewrites and persists scheme-less resources/vaults as http://..., CreateStageCommand.tryConnect() still validates external stages with http:// + endpoint, DLFCatalog.initializeFileIO() still prepends http:// before building its S3 client, and the S3/Minio catalog connectivity tester passes a scheme-less endpoint straight to URI.create(endpoint). Those paths do not go through this helper, so users of CREATE RESOURCE, S3 storage vaults, external stages, DLF Iceberg catalogs, or catalog connectivity checks can still miss the new HTTPS default after this PR. Please route these parallel paths through the same HTTPS-default normalization while preserving explicit http://, and update the tests that currently pin or miss the old behavior.

@gavinchou gavinchou left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the improvement. I think this still needs changes before merge.

  1. The storage vault path still persists a bare S3 endpoint as HTTP, so the most important cloud vault/ObjectStoreInfoPB path does not actually get the new HTTPS default. CREATE STORAGE VAULT goes through StorageVault.fromCommand -> S3StorageVault -> Resource.fromCommand -> S3Resource.setProperties, and S3Resource.setProperties still rewrites a bare endpoint to http://.... That value is then copied into ObjectStoreInfoPB by S3Properties.getObjStoreInfoPB, persisted by meta-service as-is, and later consumed by BE/recycler through S3Conf::get_s3_conf. As a result, a new storage vault created with a bare s3.endpoint will still use/persist HTTP and will not follow the new default HTTPS behavior.

  2. CREATE STAGE still has an HTTP-only preflight check. CreateStageCommand.tryConnect unconditionally builds http:// + endpoint before the real object-storage access. The real FE filesystem path already defaults a bare S3 endpoint to HTTPS in S3ObjStorage, so the preflight can fail for an HTTPS-only endpoint even though the actual object-storage client would use HTTPS and succeed.

  3. There are still FE S3-compatible client construction paths that do not use the same HTTPS-default normalization. AbstractS3CompatibleConnectivityTester passes URI.create(endpoint) directly, so an explicitly configured bare endpoint is not normalized before the AWS SDK client is built. DLFCatalog.initializeFileIO also converts the OSS endpoint to an S3-compatible endpoint and then defaults a bare endpoint to http://. These paths should share the same endpoint normalization rule: preserve explicit http:// or https://, but default a bare endpoint to HTTPS.

Testing suggestion: please add coverage for the storage vault/ObjectStoreInfoPB path, especially CREATE STORAGE VAULT with a bare s3.endpoint, and assert that it no longer persists http://... unintentionally. The existing S3ResourceTest still asserts that a bare endpoint becomes http://aaa, which is exactly the old behavior this PR should change for this path. It would also be useful to add coverage for CREATE STAGE with a bare endpoint and for the FE catalog/DLF connectivity paths so all object-storage client construction follows the same default HTTPS rule.

@0AyanamiRei

Copy link
Copy Markdown
Contributor Author

Thanks for the improvement. I think this still needs changes before merge.

  1. The storage vault path still persists a bare S3 endpoint as HTTP, so the most important cloud vault/ObjectStoreInfoPB path does not actually get the new HTTPS default. CREATE STORAGE VAULT goes through StorageVault.fromCommand -> S3StorageVault -> Resource.fromCommand -> S3Resource.setProperties, and S3Resource.setProperties still rewrites a bare endpoint to http://.... That value is then copied into ObjectStoreInfoPB by S3Properties.getObjStoreInfoPB, persisted by meta-service as-is, and later consumed by BE/recycler through S3Conf::get_s3_conf. As a result, a new storage vault created with a bare s3.endpoint will still use/persist HTTP and will not follow the new default HTTPS behavior.
  2. CREATE STAGE still has an HTTP-only preflight check. CreateStageCommand.tryConnect unconditionally builds http:// + endpoint before the real object-storage access. The real FE filesystem path already defaults a bare S3 endpoint to HTTPS in S3ObjStorage, so the preflight can fail for an HTTPS-only endpoint even though the actual object-storage client would use HTTPS and succeed.
  3. There are still FE S3-compatible client construction paths that do not use the same HTTPS-default normalization. AbstractS3CompatibleConnectivityTester passes URI.create(endpoint) directly, so an explicitly configured bare endpoint is not normalized before the AWS SDK client is built. DLFCatalog.initializeFileIO also converts the OSS endpoint to an S3-compatible endpoint and then defaults a bare endpoint to http://. These paths should share the same endpoint normalization rule: preserve explicit http:// or https://, but default a bare endpoint to HTTPS.

Testing suggestion: please add coverage for the storage vault/ObjectStoreInfoPB path, especially CREATE STORAGE VAULT with a bare s3.endpoint, and assert that it no longer persists http://... unintentionally. The existing S3ResourceTest still asserts that a bare endpoint becomes http://aaa, which is exactly the old behavior this PR should change for this path. It would also be useful to add coverage for CREATE STAGE with a bare endpoint and for the FE catalog/DLF connectivity paths so all object-storage client construction follows the same default HTTPS rule.

draft first, we will test for this behavior change.

@0AyanamiRei 0AyanamiRei marked this pull request as draft July 8, 2026 12:51
@hello-stephen

Copy link
Copy Markdown
Contributor

FE UT Coverage Report

Increment line coverage 75.00% (3/4) 🎉
Increment coverage report
Complete coverage report

@hello-stephen

Copy link
Copy Markdown
Contributor

BE Regression && UT Coverage Report

Increment line coverage 100% (0/0) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 72.99% (29248/40071)
Line Coverage 56.63% (316258/558471)
Region Coverage 53.08% (263023/495543)
Branch Coverage 54.14% (115511/213340)

@hello-stephen

Copy link
Copy Markdown
Contributor

FE Regression Coverage Report

Increment line coverage 0.76% (4/525) 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants