2015-09-15 11:35:10 -04:00
[[repository-gcs]]
=== Google Cloud Storage Repository Plugin
The GCS repository plugin adds support for using the https://cloud.google.com/storage/[Google Cloud Storage]
service as a repository for {ref}/modules-snapshots.html[Snapshot/Restore].
2017-04-20 09:01:37 -04:00
:plugin_name: repository-gcs
include::install_remove.asciidoc[]
2015-09-15 11:35:10 -04:00
[[repository-gcs-usage]]
==== Getting started
2018-08-30 03:32:08 -04:00
The plugin uses the https://github.com/GoogleCloudPlatform/google-cloud-java/tree/master/google-cloud-clients/google-cloud-storage[Google Cloud Java Client for Storage]
2019-08-14 14:47:07 -04:00
to connect to the Storage service. If you are using
https://cloud.google.com/storage/[Google Cloud Storage] for the first time, you
2018-08-30 03:32:08 -04:00
must connect to the https://console.cloud.google.com/[Google Cloud Platform Console]
and create a new project. After your project is created, you must enable the
Cloud Storage Service for your project.
2015-09-15 11:35:10 -04:00
[[repository-gcs-creating-bucket]]
===== Creating a Bucket
2019-08-14 14:47:07 -04:00
The Google Cloud Storage service uses the concept of a
https://cloud.google.com/storage/docs/key-terms[bucket] as a container for all
the data. Buckets are usually created using the
https://console.cloud.google.com/[Google Cloud Platform Console]. The plugin
2018-08-30 03:32:08 -04:00
does not automatically create buckets.
2015-09-15 11:35:10 -04:00
To create a new bucket:
2018-08-30 03:32:08 -04:00
1. Connect to the https://console.cloud.google.com/[Google Cloud Platform Console].
2. Select your project.
3. Go to the https://console.cloud.google.com/storage/browser[Storage Browser].
4. Click the *Create Bucket* button.
5. Enter the name of the new bucket.
6. Select a storage class.
7. Select a location.
8. Click the *Create* button.
2015-09-15 11:35:10 -04:00
2018-08-30 03:32:08 -04:00
For more detailed instructions, see the
https://cloud.google.com/storage/docs/quickstart-console#create_a_bucket[Google Cloud documentation].
2015-09-15 11:35:10 -04:00
[[repository-gcs-service-authentication]]
===== Service Authentication
2019-08-14 14:47:07 -04:00
The plugin must authenticate the requests it makes to the Google Cloud Storage
2018-08-30 03:32:08 -04:00
service. It is common for Google client libraries to employ a strategy named https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application[application default credentials].
2019-08-14 14:47:07 -04:00
However, that strategy is **not** supported for use with Elasticsearch. The
plugin operates under the Elasticsearch process, which runs with the security
2018-08-30 03:32:08 -04:00
manager enabled. The security manager obstructs the "automatic" credential discovery.
2019-08-14 14:47:07 -04:00
Therefore, you must configure <<repository-gcs-using-service-account,service account>>
2018-08-30 03:32:08 -04:00
credentials even if you are using an environment that does not normally require
this configuration (such as Compute Engine, Kubernetes Engine or App Engine).
2015-09-15 11:35:10 -04:00
[[repository-gcs-using-service-account]]
===== Using a Service Account
2018-08-30 03:32:08 -04:00
You have to obtain and provide https://cloud.google.com/iam/docs/overview#service_account[service account credentials]
manually.
For detailed information about generating JSON service account files, see the https://cloud.google.com/storage/docs/authentication?hl=en#service_accounts[Google Cloud documentation].
Note that the PKCS12 format is not supported by this plugin.
2015-09-15 11:35:10 -04:00
2018-08-30 03:32:08 -04:00
Here is a summary of the steps:
2018-02-02 14:01:40 -05:00
2018-08-30 03:32:08 -04:00
1. Connect to the https://console.cloud.google.com/[Google Cloud Platform Console].
2. Select your project.
3. Got to the https://console.cloud.google.com/permissions[Permission] tab.
4. Select the https://console.cloud.google.com/permissions/serviceaccounts[Service Accounts] tab.
5. Click *Create service account*.
2019-08-14 14:47:07 -04:00
6. After the account is created, select it and download a JSON key file.
2015-09-15 11:35:10 -04:00
2018-08-30 03:32:08 -04:00
A JSON service account file looks like this:
2015-09-15 11:35:10 -04:00
2016-05-13 16:15:51 -04:00
[source,js]
2015-09-15 11:35:10 -04:00
----
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com",
2018-08-30 03:32:08 -04:00
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com"
2015-09-15 11:35:10 -04:00
}
----
2016-08-29 17:33:25 -04:00
// NOTCONSOLE
2015-09-15 11:35:10 -04:00
2019-04-18 09:21:13 -04:00
To provide this file to the plugin, it must be stored in the {ref}/secure-settings.html[Elasticsearch keystore]. You must
add a `file` setting with the name `gcs.client.NAME.credentials_file` using the `add-file` subcommand.
`NAME` is the name of the client configuration for the repository. The implicit client
2018-08-30 03:32:08 -04:00
name is `default`, but a different client name can be specified in the
2019-08-14 14:47:07 -04:00
repository settings with the `client` key.
2015-09-15 11:35:10 -04:00
2019-08-14 14:47:07 -04:00
NOTE: Passing the file path via the GOOGLE_APPLICATION_CREDENTIALS environment
2018-08-30 03:32:08 -04:00
variable is **not** supported.
2019-08-14 14:47:07 -04:00
For example, if you added a `gcs.client.my_alternate_client.credentials_file`
setting in the keystore, you can configure a repository to use those credentials
2018-08-30 03:32:08 -04:00
like this:
2015-09-15 11:35:10 -04:00
2016-05-13 16:15:51 -04:00
[source,js]
2015-09-15 11:35:10 -04:00
----
PUT _snapshot/my_gcs_repository
{
"type": "gcs",
"settings": {
"bucket": "my_bucket",
2017-05-16 20:17:37 -04:00
"client": "my_alternate_client"
2015-09-15 11:35:10 -04:00
}
}
----
// CONSOLE
2016-05-13 16:15:51 -04:00
// TEST[skip:we don't have gcs setup while testing this]
2015-09-15 11:35:10 -04:00
2018-08-01 05:07:23 -04:00
The `credentials_file` settings are {ref}/secure-settings.html#reloadable-secure-settings[reloadable].
2019-08-14 14:47:07 -04:00
After you reload the settings, the internal `gcs` clients, which are used to
2018-08-30 03:32:08 -04:00
transfer the snapshot contents, utilize the latest settings from the keystore.
2018-08-01 05:07:23 -04:00
2018-08-30 03:32:08 -04:00
NOTE: Snapshot or restore jobs that are in progress are not preempted by a *reload*
2019-08-14 14:47:07 -04:00
of the client's `credentials_file` settings. They complete using the client as
2018-08-30 03:32:08 -04:00
it was built when the operation started.
2018-08-01 05:07:23 -04:00
2018-02-22 09:40:20 -05:00
[[repository-gcs-client]]
==== Client Settings
2015-09-15 11:35:10 -04:00
2018-02-22 09:40:20 -05:00
The client used to connect to Google Cloud Storage has a number of settings available.
2018-08-30 03:32:08 -04:00
Client setting names are of the form `gcs.client.CLIENT_NAME.SETTING_NAME` and are specified
2018-02-22 09:40:20 -05:00
inside `elasticsearch.yml`. The default client name looked up by a `gcs` repository is
called `default`, but can be customized with the repository setting `client`.
2015-09-15 11:35:10 -04:00
2018-02-22 09:40:20 -05:00
For example:
[source,js]
----
PUT _snapshot/my_gcs_repository
{
"type": "gcs",
"settings": {
"bucket": "my_bucket",
"client": "my_alternate_client"
}
}
----
// CONSOLE
// TEST[skip:we don't have gcs setup while testing this]
Some settings are sensitive and must be stored in the
2018-08-30 03:32:08 -04:00
{ref}/secure-settings.html[Elasticsearch keystore]. This is the case for the service account file:
2018-02-22 09:40:20 -05:00
[source,sh]
----
2019-04-11 08:48:42 -04:00
bin/elasticsearch-keystore add-file gcs.client.default.credentials_file /path/service-account.json
2018-02-22 09:40:20 -05:00
----
The following are the available client settings. Those that must be stored in the keystore
are marked as `Secure`.
2015-09-15 11:35:10 -04:00
2018-02-22 09:40:20 -05:00
`credentials_file`::
The service account file that is used to authenticate to the Google Cloud Storage service. (Secure)
`endpoint`::
The Google Cloud Storage service endpoint to connect to. This will be automatically
determined by the Google Cloud Storage client but can be specified explicitly.
`connect_timeout`::
The timeout to establish a connection to the Google Cloud Storage service. The value should
specify the unit. For example, a value of `5s` specifies a 5 second timeout. The value of `-1`
corresponds to an infinite timeout. The default value is 20 seconds.
`read_timeout`::
The timeout to read data from an established connection. The value should
specify the unit. For example, a value of `5s` specifies a 5 second timeout. The value of `-1`
corresponds to an infinite timeout. The default value is 20 seconds.
`application_name`::
Name used by the client when it uses the Google Cloud Storage service. Setting
a custom name can be useful to authenticate your cluster when requests
statistics are logged in the Google Cloud Platform. Default to `repository-gcs`
2015-09-15 11:35:10 -04:00
2018-05-15 11:22:58 -04:00
`project_id`::
2018-08-30 03:32:08 -04:00
The Google Cloud project id. This will be automatically inferred from the credentials file but
2018-05-15 11:22:58 -04:00
can be specified explicitly. For example, it can be used to switch between projects when the
same credentials are usable for both the production and the development projects.
2015-09-15 11:35:10 -04:00
[[repository-gcs-repository]]
2018-02-22 09:40:20 -05:00
==== Repository Settings
The `gcs` repository type supports a number of settings to customize how data
is stored in Google Cloud Storage.
2015-09-15 11:35:10 -04:00
2018-02-22 09:40:20 -05:00
These can be specified when creating the repository. For example:
2015-09-15 11:35:10 -04:00
2016-05-13 16:15:51 -04:00
[source,js]
2015-09-15 11:35:10 -04:00
----
PUT _snapshot/my_gcs_repository
{
"type": "gcs",
"settings": {
2018-02-22 09:40:20 -05:00
"bucket": "my_other_bucket",
"base_path": "dev"
2015-09-15 11:35:10 -04:00
}
}
----
// CONSOLE
2018-02-22 09:40:20 -05:00
// TEST[skip:we don't have gcs set up while testing this]
2015-09-15 11:35:10 -04:00
The following settings are supported:
`bucket`::
The name of the bucket to be used for snapshots. (Mandatory)
2017-05-16 20:17:37 -04:00
`client`::
2015-09-15 11:35:10 -04:00
2018-02-22 09:40:20 -05:00
The name of the client to use to connect to Google Cloud Storage.
Defaults to `default`.
2015-09-15 11:35:10 -04:00
`base_path`::
Specifies the path within bucket to repository data. Defaults to
the root of the bucket.
`chunk_size`::
Big files can be broken down into chunks during snapshotting if needed.
2019-08-14 14:47:07 -04:00
Specify the chunk size as a value and unit, for example:
`10MB` or `5KB`. Defaults to `100MB`, which is the maximum permitted.
2015-09-15 11:35:10 -04:00
`compress`::
When set to `true` metadata files are stored in compressed format. This
setting doesn't affect index files that are already compressed by default.
Defaults to `false`.
2019-03-28 15:03:14 -04:00
include::repository-shared-settings.asciidoc[]
2015-09-15 11:35:10 -04:00
`application_name`::
2019-04-18 09:17:22 -04:00
deprecated:[6.3.0, "This setting is now defined in the <<repository-gcs-client, client settings>>."]
Name used by the client when it uses the Google Cloud Storage service.
2018-02-22 09:40:20 -05:00
[[repository-gcs-bucket-permission]]
===== Recommended Bucket Permission
The service account used to access the bucket must have the "Writer" access to the bucket:
2018-08-30 03:32:08 -04:00
1. Connect to the https://console.cloud.google.com/[Google Cloud Platform Console].
2. Select your project.
3. Got to the https://console.cloud.google.com/storage/browser[Storage Browser].
4. Select the bucket and "Edit bucket permission".
5. The service account must be configured as a "User" with "Writer" access.