英文:
Hibernate Search AWS OpenSearch Serverless connection problem
问题
我正在使用Hibernate Search v. 6.1.8.Final在我的Spring Boot应用程序中。我的实现适用于在本地和Kubernetes上运行的OpenSearch v. 2.5。
除了基本库之外,我包括了org.hibernate.search:hibernate-search-backend-elasticsearch-aws AWS适配器。
当我将它安装在AWS EKS上时,我配置我的Spring属性如下:
spring:
jpa:
properties:
hibernate:
search:
backend:
type: elasticsearch
hosts: xxxxxxxx.<region>.aoss.amazonaws.com
version: opensearch:2.5
version_check:
enabled: false
aws:
region: <region>
signing:
enabled: true
我没有在这个配置中放入我的AWS凭证,因为我希望可以使用我的Pod正在运行的服务帐户进行身份验证。
服务帐户eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxx:role/<role-name> 定义了角色名称,该角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aoss:*"
],
"Effect": "Allow",
"Resource": "arn:aws:aoss:<region>:xxxxxxxxx:collection/<collection-id>"
}
]
}
我可以使用curl连接到OpenSearch Serverless Collection。在IAM策略模拟器中,我也可以验证我的角色对aoss具有APIAccessAll权限。
现在,当我启动我的应用程序时,我收到以下错误:
2023-06-05T08:51:22,164+0000 WARN [,] --- [main] dialect.impl.ElasticsearchDialectFactory : HSEARCH400085: Unknown Elasticsearch version running on the cluster: 'opensearch:2.5'. Hibernate Search may not work correctly. Consider updating to a newer version of Hibernate Search, if any.
2023-06-05T08:51:22,367+0000 WARN [,] --- [main] als.internal.WebIdentityCredentialsUtils : To use web identity tokens, the 'sts' service module must be on the class path.
2023-06-05T08:51:22,863+0000 ERROR [,] --- [Hibernate Search - default backend - Transport thread - 2] ngine.reporting.spi.RootFailureCollector : HSEARCH000521: Hibernate Search encountered a failure during bootstrap; continuing for now to list all problems, but the process will ultimately be aborted.
Context: Hibernate ORM mapping, type 'com.example.MyEntity'
Failure:
org.hibernate.search.util.common.SearchException: HSEARCH400034: Unable to retrieve index metadata from Elasticsearch: HSEARCH400007: Elasticsearch request failed: HSEARCH400090: Elasticsearch response indicates a failure.
Request: GET /myentity-write,myentity-read with parameters {ignore_unavailable=true, allow_no_indices=true}
Response: 403 'Forbidden' from 'https://xxxxxx.<region>.aoss.amazonaws.com' with body
{
"status": 403,
"request-id": "<request-id>",
"error": {
"reason": "Credential should be scoped to correct service: \u0027aoss\u0027, not \u0027es\u0027.",
"type": "AccessDenied"
}
}
是否有人了解这个问题?对我来说,策略似乎是正确的,甚至没有资源限制。
英文:
I am using Hibernate Search v. 6.1.8.Final within my Spring Boot application. My implementation works for OpenSearch v. 2.5 which runs locally and in Kubernetes.
Besides the basis libraries I include org.hibernate.search:hibernate-search-backend-elasticsearch-aws AWS adapter.
When I install it in AWS EKS I configure my Spring properties like
spring:
jpa:
properties:
hibernate:
search:
backend:
type: elasticsearch
hosts: xxxxxxxx.<region>.aoss.amazonaws.com
version: opensearch:2.5
version_check:
enabled: false
aws:
region: <region>
signing:
enabled: true
I do not put my AWS credentials in this configuration since I hope I can authenticate with Service Account my pod is running with.
The service account eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxxx:role/<role-name> defines the role name which has following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aoss:*"
],
"Effect": "Allow",
"Resource": "arn:aws:aoss:<region>:xxxxxxxxx:collection/<collection-id>"
}
]
}
I have connection to the OpenSearch Serverless Collection (with curl). Also in the IAM Policy Simulator I can verify that my role has APIAccessAll for aoss.
Now when I start my application I get following error:
2023-06-05T08:51:22,164+0000 WARN [,] --- [main] dialect.impl.ElasticsearchDialectFactory : HSEARCH400085: Unknown Elasticsearch version running on the cluster: 'opensearch:2.5'. Hibernate Search may not work correctly. Consider updating to a newer version of Hibernate Search, if any.
2023-06-05T08:51:22,367+0000 WARN [,] --- [main] als.internal.WebIdentityCredentialsUtils : To use web identity tokens, the 'sts' service module must be on the class path.
2023-06-05T08:51:22,863+0000 ERROR [,] --- [Hibernate Search - default backend - Transport thread - 2] ngine.reporting.spi.RootFailureCollector : HSEARCH000521: Hibernate Search encountered a failure during bootstrap; continuing for now to list all problems, but the process will ultimately be aborted.
Context: Hibernate ORM mapping, type 'com.example.MyEntity'
Failure:
org.hibernate.search.util.common.SearchException: HSEARCH400034: Unable to retrieve index metadata from Elasticsearch: HSEARCH400007: Elasticsearch request failed: HSEARCH400090: Elasticsearch response indicates a failure.
Request: GET /myentity-write,myentity-read with parameters {ignore_unavailable=true, allow_no_indices=true}
Response: 403 'Forbidden' from 'https://xxxxxx.<region>.aoss.amazonaws.com' with body
{
"status": 403,
"request-id": "<request-id>",
"error": {
"reason": "Credential should be scoped to correct service: \u0027aoss\u0027, not \u0027es\u0027.",
"type": "AccessDenied"
}
}
Does anyone know this issue? For me it seems that the policy is correct, also without Resource restriction.
答案1
得分: 1
Hibernate Search AWS集成未针对Amazon OpenSearch Serverless进行测试。从AWS返回的消息中,您会得到以下信息:
“凭证应该针对正确的服务范围:'aoss',而不是'es'。”
我会认为问题可能是因为 hibernate-search-backend-elasticsearch-aws 为 es 服务而不是您需要的 aoss 签署请求。
我建议在这里开始讨论 https://discourse.hibernate.org/ 或在 https://hibernate.atlassian.net/ 上提交请求。
英文:
Hibernate Search AWS integration is not tested against Amazon OpenSearch Serverless. From the message you get back from AWS:
"Credential should be scoped to correct service: \u0027aoss\u0027, not \u0027es\u0027."
I would assume that the problem comes from the fact that hibernate-search-backend-elasticsearch-aws is signing the request for the es service rather than the aoss that you need...
I'd suggest starting a discussion here https://discourse.hibernate.org/ or open a request at https://hibernate.atlassian.net/
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论