fix: pin readTS in resolveAuth and clarify S3_CREDENTIALS_FILE help text

Copilot · bootjp · web-flow · commit d60d4be1f2a6 · 2026-04-01T14:51:43.000Z
Agent-Logs-Url: https://github.com/bootjp/elastickv/sessions/e9348f84-723b-4073-aea0-e3e35d47f3d4 Co-authored-by: bootjp <1306365+bootjp@users.noreply.github.com>
diff --git a/adapter/s3.go b/adapter/s3.go
@@ -372,7 +372,11 @@ func (s *S3Server) resolveAuth(r *http.Request, bucket string) *s3AuthError {
 	}
 	// Check if the bucket is public-read and the request is read-only.
 	if isReadOnlyS3Request(r) {
-		meta, _, err := s.loadBucketMetaAt(r.Context(), bucket, s.readTS())
+		readTS := s.readTS()
+		readPin := s.pinReadTS(readTS)
+		defer readPin.Release()
+
+		meta, _, err := s.loadBucketMetaAt(r.Context(), bucket, readTS)
 		if err == nil && isPublicReadBucket(meta) {
 			return nil
 		}
diff --git a/scripts/rolling-update.sh b/scripts/rolling-update.sh
@@ -35,6 +35,9 @@ Optional environment:
   S3_PORT
   S3_REGION
   S3_CREDENTIALS_FILE
+    Path to an S3 credentials file on each target host. This file must already
+    exist and be readable on every remote node; it will be bind-mounted into
+    the container at the same path.
   S3_PATH_STYLE_ONLY
   HEALTH_TIMEOUT_SECONDS
   LEADERSHIP_TRANSFER_TIMEOUT_SECONDS

Original file line number	Diff line number	Diff line change
`@@ -372,7 +372,11 @@ func (s S3Server) resolveAuth(r http.Request, bucket string) *s3AuthError {`
`372`	`372`	`}`
`373`	`373`	`// Check if the bucket is public-read and the request is read-only.`
`374`	`374`	`if isReadOnlyS3Request(r) {`
`375`		`- meta, _, err := s.loadBucketMetaAt(r.Context(), bucket, s.readTS())`
	`375`	`+ readTS := s.readTS()`
	`376`	`+ readPin := s.pinReadTS(readTS)`
	`377`	`+ defer readPin.Release()`
	`378`	`+`
	`379`	`+ meta, _, err := s.loadBucketMetaAt(r.Context(), bucket, readTS)`
`376`	`380`	`if err == nil && isPublicReadBucket(meta) {`
`377`	`381`	`return nil`
`378`	`382`	`}`