s3 repository canned_acl is not working for some files during snapshot creation #32365
Description
Elasticsearch version (bin/elasticsearch --version): 6.3.2
Plugins installed: ["repository-s3"]
JVM version (java -version): javac 1.8.0_141
OS version (uname -a if on a Unix-like system): 4.14.51-60.38.amzn1.x86_64
Description of the problem including expected versus actual behavior:
We have an ES cluster in AWS. When we want to take a snapshot we are doing into S3 bucket which is located in another account.
when we creating an S3 repository in elastic search we enabling following option:
"canned_acl": "bucket-owner-full-control"
Not all files from snapshot have ACL for full control for bucket owner.
Files which DO NOT HAVE proper permissions.
1 . All files which have index-0 in their's name
2. index.latest
3. incompatible-snapshots.
All other files have correct ACL both for snapshot creator account and bucket owner account.
Steps to reproduce:
- Setup ES cluster in AWS account 1.
- Setup S3 bucket in AWS account 2.
- Grant permissions to ES to save snapshots to S3 bucket in AWS account 2.
- Setup a repository in ES cluster with option "canned_acl": "bucket-owner-full-control"
- Create a snapshot.
- Check file permissions for files with names index-0, index.latest and incompatible-snapshots.
They will not have bucket owner FULL ADMIN permissions
aws s3api get-object-acl --bucket BUCKET_NAME --key PATH_TO_S3_OBJECT
Provide logs (if relevant):