Fix S3 deletion for buckets/endpoints other than what’s configured for upload (#9047)

We can have multiple managed s3 stores. Only one is selected for upload
but dataset deletion should work for all of them. This PR refactors the
ManagedS3Service a bit and selects the correct client with
endpoint/credential for each path.

### URL of deployed dev instance (used for testing):
- https://___.webknossos.xyz

### Steps to test:
(I already tested locally, no need to re-test)
- In application.conf, insert multiple dataVaults.credentials for s3
endpoints. Set s3Upload.credentialName to the first of them
- Upload a small dataset
- set the s3Upload.credentialName to another of them
- make sure both datasets can be loaded
- delete both datasets from their respective settings views.
- backend logging should show they were deleted from their respective s3
buckets

### Issues:
- follow-up for #8924 
- fixes #9043

------
- [x] Added changelog entry (create a `$PR_NUMBER.md` file in
`unreleased_changes` or use `./tools/create-changelog-entry.py`)
- [x] Removed dev-only changes like prints and application.conf edits
- [x] Considered [common edge
cases](../blob/master/.github/common_edge_cases.md)
- [x] Needs datastore update after deployment

Author: fm3

unreleased_changes/9047.md

@@ -0,0 +1,2 @@
+### Fixed
+- Fixed dataset deletion for data stored on managed s3 buckets different from the one currently selected for dataset upload.

webknossos-datastore/app/com/scalableminds/webknossos/datastore/datavault/S3DataVault.scala

@@ -14,10 +14,8 @@ import org.apache.commons.lang3.builder.HashCodeBuilder
 import play.api.libs.ws.WSClient
 import software.amazon.awssdk.auth.credentials.{
   AnonymousCredentialsProvider,
-  AwsBasicCredentials,
   AwsCredentialsProvider,
   EnvironmentVariableCredentialsProvider,
-  StaticCredentialsProvider
 }
 import software.amazon.awssdk.awscore.util.AwsHostNameUtils
 import software.amazon.awssdk.core.ResponseBytes
@@ -193,12 +191,7 @@ object S3DataVault {
 
   private def getCredentialsProvider(credentialOpt: Option[S3AccessKeyCredential]): AwsCredentialsProvider =
     credentialOpt match {
-      case Some(s3AccessKeyCredential: S3AccessKeyCredential) =>
-        StaticCredentialsProvider.create(
-          AwsBasicCredentials.builder
-            .accessKeyId(s3AccessKeyCredential.accessKeyId)
-            .secretAccessKey(s3AccessKeyCredential.secretAccessKey)
-            .build())
+      case Some(s3AccessKeyCredential: S3AccessKeyCredential) => s3AccessKeyCredential.toCredentialsProvider
       case None if sys.env.contains("AWS_ACCESS_KEY_ID") || sys.env.contains("AWS_ACCESS_KEY") =>
         EnvironmentVariableCredentialsProvider.create()
       case None =>

webknossos-datastore/app/com/scalableminds/webknossos/datastore/services/DSUsedStorageService.scala

@@ -31,7 +31,9 @@ object PathStorageUsageResponse {
 
 case class PathPair(original: String, upath: UPath)
 
-class DSUsedStorageService @Inject()(config: DataStoreConfig, dataVaultService: DataVaultService)
+class DSUsedStorageService @Inject()(config: DataStoreConfig,
+                                     dataVaultService: DataVaultService,
+                                     managedS3Service: ManagedS3Service)
     extends FoxImplicits
     with LazyLogging {
 
@@ -55,14 +57,8 @@ class DSUsedStorageService @Inject()(config: DataStoreConfig, dataVaultService:
           pathPair
       })
       // Check to only measure remote paths that are part of a vault that is configured.
-      (pathPairsToMeasure, _absoluteUpathsToSkip) = pathPairsWithAbsoluteUpath.partition(
-        path =>
-          path.upath.isLocal || config.Datastore.DataVaults.credentials.exists(
-            vaultCredentialConfig =>
-              UPath
-                .fromString(vaultCredentialConfig.getString("name"))
-                .map(registeredPath => path.upath.startsWith(registeredPath))
-                .getOrElse(false)))
+      (pathPairsToMeasure, _absoluteUpathsToSkip) = pathPairsWithAbsoluteUpath.partition(path =>
+        path.upath.isLocal || managedS3Service.pathIsInManagedS3(path.upath))
       vaultPathsForPathPairsToMeasure <- Fox.serialCombined(pathPairsToMeasure)(pathPair =>
         dataVaultService.vaultPathFor(pathPair.upath))
       usedBytes <- Fox.fromFuture(

webknossos-datastore/app/com/scalableminds/webknossos/datastore/services/ManagedS3Service.scala

@@ -1,12 +1,16 @@
 package com.scalableminds.webknossos.datastore.services
 
+import com.scalableminds.util.time.Instant
 import com.scalableminds.util.tools.{Box, Fox, FoxImplicits}
 import com.scalableminds.util.tools.Box.tryo
 import com.scalableminds.webknossos.datastore.DataStoreConfig
 import com.scalableminds.webknossos.datastore.helpers.{PathSchemes, S3UriUtils, UPath}
-import com.scalableminds.webknossos.datastore.storage.{CredentialConfigReader, S3AccessKeyCredential}
+import com.scalableminds.webknossos.datastore.storage.{
+  CredentialConfigReader,
+  DataVaultCredential,
+  S3AccessKeyCredential
+}
 import com.typesafe.scalalogging.LazyLogging
-import software.amazon.awssdk.auth.credentials.{AwsBasicCredentials, StaticCredentialsProvider}
 import software.amazon.awssdk.core.checksums.RequestChecksumCalculation
 import software.amazon.awssdk.regions.Region
 import software.amazon.awssdk.services.s3.S3AsyncClient
@@ -25,24 +29,44 @@ import scala.concurrent.ExecutionContext
 import scala.jdk.CollectionConverters._
 import scala.jdk.FutureConverters._
 
-class ManagedS3Service @Inject()(dataStoreConfig: DataStoreConfig) extends FoxImplicits with LazyLogging {
+class ManagedS3Service @Inject()(config: DataStoreConfig) extends FoxImplicits with LazyLogging {
+
+  def pathIsInManagedS3(path: UPath): Boolean =
+    path.getScheme.contains(PathSchemes.schemeS3) && globalCredentials.exists(c =>
+      UPath.fromString(c.name).map(path.startsWith).getOrElse(false))
+
+  def findGlobalCredentialFor(pathOpt: Option[UPath]): Option[S3AccessKeyCredential] =
+    pathOpt.flatMap(findGlobalCredentialFor)
+
+  private def findGlobalCredentialFor(path: UPath): Option[S3AccessKeyCredential] =
+    globalCredentials.collectFirst {
+      case credential: S3AccessKeyCredential if path.toString.startsWith(credential.name) => credential
+    }
 
-  private lazy val s3UploadCredentialsOpt: Option[(String, String)] =
-    dataStoreConfig.Datastore.DataVaults.credentials.flatMap { credentialConfig =>
+  private lazy val globalCredentials: Seq[DataVaultCredential] = {
+    val res = config.Datastore.DataVaults.credentials.flatMap { credentialConfig =>
       new CredentialConfigReader(credentialConfig).getCredential
-    }.collectFirst {
-      case S3AccessKeyCredential(credentialName, accessKeyId, secretAccessKey, _, _)
-          if dataStoreConfig.Datastore.S3Upload.credentialName == credentialName =>
-        (accessKeyId, secretAccessKey)
+    }
+    logger.info(s"Parsed ${res.length} global data vault credentials from datastore config.")
+    res
+  }
+
+  private lazy val s3UploadCredentialOpt: Option[S3AccessKeyCredential] =
+    globalCredentials.collectFirst {
+      case credential: S3AccessKeyCredential if config.Datastore.S3Upload.credentialName == credential.name =>
+        credential
     }
 
   lazy val s3UploadBucketOpt: Option[String] =
     // by convention, the credentialName is the S3 URI so we can extract the bucket from it.
-    S3UriUtils.hostBucketFromUri(new URI(dataStoreConfig.Datastore.S3Upload.credentialName))
+    S3UriUtils.hostBucketFromUri(new URI(config.Datastore.S3Upload.credentialName))
 
-  private lazy val s3UploadEndpoint: URI = {
-    // by convention, the credentialName is the S3 URI so we can extract the bucket from it.
-    val credentialUri = new URI(dataStoreConfig.Datastore.S3Upload.credentialName)
+  private lazy val s3UploadEndpoint: URI =
+    endpointForCredentialName(config.Datastore.S3Upload.credentialName)
+
+  private def endpointForCredentialName(credentialName: String) = {
+    // by convention, the credentialName is the S3 URI so we can extract the endpoint from it.
+    val credentialUri = new URI(credentialName)
     new URI(
       "https",
       null,
@@ -54,26 +78,26 @@ class ManagedS3Service @Inject()(dataStoreConfig: DataStoreConfig) extends FoxIm
     )
   }
 
-  private lazy val s3ClientBox: Box[S3AsyncClient] = for {
-    accessKeyId <- Box(s3UploadCredentialsOpt.map(_._1))
-    secretAccessKey <- Box(s3UploadCredentialsOpt.map(_._2))
-    client <- tryo(
+  private lazy val s3UploadClientBox: Box[S3AsyncClient] = for {
+    s3UploadCredential <- Box(s3UploadCredentialOpt)
+    client <- buildClient(s3UploadEndpoint, s3UploadCredential)
+  } yield client
+
+  private def buildClient(endpoint: URI, credential: S3AccessKeyCredential): Box[S3AsyncClient] =
+    tryo(
       S3AsyncClient
         .builder()
-        .credentialsProvider(StaticCredentialsProvider.create(
-          AwsBasicCredentials.builder.accessKeyId(accessKeyId).secretAccessKey(secretAccessKey).build()
-        ))
+        .credentialsProvider(credential.toCredentialsProvider)
         .crossRegionAccessEnabled(true)
         .forcePathStyle(true)
-        .endpointOverride(s3UploadEndpoint)
+        .endpointOverride(endpoint)
         .region(Region.US_EAST_1)
         // Disabling checksum calculation prevents files being stored with Content Encoding "aws-chunked".
         .requestChecksumCalculation(RequestChecksumCalculation.WHEN_REQUIRED)
         .build())
-  } yield client
 
-  lazy val transferManagerBox: Box[S3TransferManager] = for {
-    client <- s3ClientBox
+  lazy val s3UploadTransferManagerBox: Box[S3TransferManager] = for {
+    client <- s3UploadClientBox
   } yield S3TransferManager.builder().s3Client(client).build()
 
   def deletePaths(paths: Seq[UPath])(implicit ec: ExecutionContext): Fox[Unit] = {
@@ -89,13 +113,19 @@ class ManagedS3Service @Inject()(dataStoreConfig: DataStoreConfig) extends FoxIm
       implicit ec: ExecutionContext): Fox[Unit] =
     for {
       bucket <- bucketOpt.toFox ?~> "Could not determine S3 bucket from UPath"
-      s3Client <- s3ClientBox.toFox ?~> "No managed s3 client configured"
+      firstPath <- paths.headOption.toFox // groupBy of the caller guarantees that this is not called with empty list.
+      credential <- findGlobalCredentialFor(firstPath).toFox // Convention is that the credentials are per bucket, so we can reuse this for all paths
+      endpoint = endpointForCredentialName(credential.name)
+      s3Client <- buildClient(endpoint, credential).toFox
       prefixes <- Fox.combined(paths.map(path => S3UriUtils.objectKeyFromUri(path.toRemoteUriUnsafe).toFox))
       keys: Seq[String] <- Fox.serialCombined(prefixes)(listKeysAtPrefix(s3Client, bucket, _)).map(_.flatten)
       uniqueKeys = keys.distinct
       _ = logger.info(s"Deleting ${uniqueKeys.length} objects from managed S3 bucket $bucket...")
+      before = Instant.now
       _ <- Fox.serialCombined(uniqueKeys.grouped(1000).toSeq)(deleteBatch(s3Client, bucket, _)).map(_ => ())
-      _ = logger.info(s"Successfully deleted ${uniqueKeys.length} objects from managed S3 bucket $bucket.")
+      _ = Instant.logSince(before,
+                           s"Successfully deleted ${uniqueKeys.length} objects from managed S3 bucket $bucket.",
+                           logger)
     } yield ()
 
   private def deleteBatch(s3Client: S3AsyncClient, bucket: String, keys: Seq[String])(
@@ -142,16 +172,4 @@ class ManagedS3Service @Inject()(dataStoreConfig: DataStoreConfig) extends FoxIm
     listRecursive(None, Seq())
   }
 
-  private lazy val globalCredentials = {
-    val res = dataStoreConfig.Datastore.DataVaults.credentials.flatMap { credentialConfig =>
-      new CredentialConfigReader(credentialConfig).getCredential
-    }
-    logger.info(s"Parsed ${res.length} global data vault credentials from datastore config.")
-    res
-  }
-
-  def pathIsInManagedS3(path: UPath): Boolean =
-    path.getScheme.contains(PathSchemes.schemeS3) && globalCredentials.exists(c =>
-      UPath.fromString(c.name).map(path.startsWith).getOrElse(false))
-
 }

webknossos-datastore/app/com/scalableminds/webknossos/datastore/services/uploading/UploadService.scala

@@ -537,7 +537,7 @@ class UploadService @Inject()(dataSourceService: DataSourceService,
       prefix: String
   ): Fox[Unit] =
     for {
-      transferManager <- managedS3Service.transferManagerBox.toFox ?~> "S3 upload is not properly configured, cannot get S3 client"
+      transferManager <- managedS3Service.s3UploadTransferManagerBox.toFox ?~> "S3 upload is not properly configured, cannot get S3 client"
       directoryUpload = transferManager.uploadDirectory(
         UploadDirectoryRequest.builder().bucket(bucketName).s3Prefix(prefix).source(dataDir).build()
       )

webknossos-datastore/app/com/scalableminds/webknossos/datastore/storage/DataVaultCredentials.scala

@@ -2,6 +2,7 @@ package com.scalableminds.webknossos.datastore.storage
 
 import com.scalableminds.util.tools.Fox
 import play.api.libs.json.{JsValue, Json, OFormat}
+import software.amazon.awssdk.auth.credentials.{AwsBasicCredentials, StaticCredentialsProvider}
 
 import scala.concurrent.ExecutionContext
 
@@ -39,6 +40,10 @@ case class S3AccessKeyCredential(name: String,
                                  organization: Option[String])
     extends DataVaultCredential {
   override def userId: Option[String] = user
+
+  def toCredentialsProvider: StaticCredentialsProvider = StaticCredentialsProvider.create(
+    AwsBasicCredentials.builder.accessKeyId(accessKeyId).secretAccessKey(secretAccessKey).build()
+  )
 }
 
 object S3AccessKeyCredential {

webknossos-datastore/app/com/scalableminds/webknossos/datastore/storage/DataVaultService.scala

@@ -16,7 +16,7 @@ import com.typesafe.scalalogging.LazyLogging
 import com.scalableminds.webknossos.datastore.dataformats.MagLocator
 import com.scalableminds.webknossos.datastore.helpers.{PathSchemes, UPath}
 import com.scalableminds.webknossos.datastore.models.datasource.{DataSourceId, LayerAttachment}
-import com.scalableminds.webknossos.datastore.services.DSRemoteWebknossosClient
+import com.scalableminds.webknossos.datastore.services.{DSRemoteWebknossosClient, ManagedS3Service}
 import play.api.libs.ws.WSClient
 
 import java.nio.file.Path
@@ -27,15 +27,16 @@ case class CredentializedUPath(upath: UPath, credential: Option[DataVaultCredent
 
 class DataVaultService @Inject()(ws: WSClient,
                                  config: DataStoreConfig,
-                                 remoteWebknossosClient: DSRemoteWebknossosClient)
+                                 remoteWebknossosClient: DSRemoteWebknossosClient,
+                                 managedS3Service: ManagedS3Service)
     extends LazyLogging
     with FoxImplicits {
 
   private val vaultCache: AlfuCache[CredentializedUPath, DataVault] =
     AlfuCache(maxCapacity = 100)
 
   def vaultPathFor(upath: UPath)(implicit ec: ExecutionContext): Fox[VaultPath] = {
-    val credentialOpt = findGlobalCredentialFor(Some(upath))
+    val credentialOpt = managedS3Service.findGlobalCredentialFor(Some(upath))
     vaultPathFor(CredentializedUPath(upath, credentialOpt))
   }
 
@@ -109,25 +110,14 @@ class DataVaultService @Inject()(ws: WSClient,
     resolveMagPath(magLocator, localDatasetDir, localLayerDir, layerName)
   }
 
-  private lazy val globalCredentials = {
-    val res = config.Datastore.DataVaults.credentials.flatMap { credentialConfig =>
-      new CredentialConfigReader(credentialConfig).getCredential
-    }
-    logger.info(s"Parsed ${res.length} global data vault credentials from datastore config.")
-    res
-  }
-
-  private def findGlobalCredentialFor(pathOpt: Option[UPath]): Option[DataVaultCredential] =
-    pathOpt.flatMap(path => globalCredentials.find(c => path.toString.startsWith(c.name)))
-
   private def credentialFor(magLocator: MagLocator)(implicit ec: ExecutionContext): Fox[DataVaultCredential] =
     magLocator.credentialId match {
       case Some(credentialId) =>
         remoteWebknossosClient.getCredential(credentialId)
       case None =>
         magLocator.credentials match {
           case Some(credential) => Fox.successful(credential)
-          case None             => findGlobalCredentialFor(magLocator.path).toFox
+          case None             => managedS3Service.findGlobalCredentialFor(magLocator.path).toFox
         }
     }
 
@@ -136,14 +126,14 @@ class DataVaultService @Inject()(ws: WSClient,
       case Some(credentialId) =>
         remoteWebknossosClient.getCredential(credentialId)
       case None =>
-        findGlobalCredentialFor(Some(attachment.path)).toFox
+        managedS3Service.findGlobalCredentialFor(Some(attachment.path)).toFox
     }
 
   def pathIsAllowedToAddDirectly(path: UPath): Boolean =
     if (path.isLocal)
       pathIsDataSourceLocal(path) || pathIsInLocalDirectoryWhitelist(path)
     else
-      !pathMatchesGlobalCredentials(path)
+      !managedS3Service.pathIsInManagedS3(path)
 
   private def pathIsDataSourceLocal(path: UPath): Boolean =
     path.isLocal && {
@@ -152,9 +142,6 @@ class DataVaultService @Inject()(ws: WSClient,
       !path.isAbsolute && inWorkingDir.startsWith(workingDir)
     }
 
-  private def pathMatchesGlobalCredentials(path: UPath): Boolean =
-    findGlobalCredentialFor(Some(path)).isDefined
-
   private def pathIsInLocalDirectoryWhitelist(path: UPath): Boolean =
     path.isLocal &&
       config.Datastore.localDirectoryWhitelist.exists(whitelistEntry => path.toString.startsWith(whitelistEntry))