rgw/lua: allow access to object data

[yuvalif]

Signed-off-by: Yuval Lifshitz ylifshit@redhat.com

testing

• using vstart cluster: MON=1 OSD=1 MDS=0 MGR=0 RGW=1 ../src/vstart.sh -n -d
• sample script (data.lua):

RGWDebugLog("Data[0]="..tostring(Data[0]))
RGWDebugLog("Data[-1]="..tostring(Data[-1]))
RGWDebugLog("Data[99]="..tostring(Data[99]))
RGWDebugLog("Data[1]="..tostring(Data[1]))
RGWDebugLog("Data[8]="..tostring(Data[8]))
RGWDebugLog("Data[9]="..tostring(Data[9]))
RGWDebugLog("#Data"..tostring(#Data))

RGWDebugLog("ipairs");
for i, v in ipairs(Data) do
  RGWDebugLog("Data["..tostring(i).."]="..v)
end

RGWDebugLog("pairs");
for i, v in pairs(Data) do
  RGWDebugLog("Data["..tostring(i).."]="..v)
end

• upload script: bin/radosgw-admin script put --infile=./data.lua --context=putData
• local file to upload (data.txt):

ABCDEFG

• create bucket, then upload and download an object:

aws --endpoint-url http://localhost:8000 s3 mb s3://kaboom
aws --endpoint-url http://localhost:8000 s3 cp data.txt s3://kaboom
aws --endpoint-url http://localhost:8000 s3 cp s3://kaboom/data.txt .

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[yuvalif]

comments from RGW refactoring call:

• split to 2 contexts (putData and getData)
• add a parameter to block the request from the lua script
• no need to pass offset and length into lua

[anthonyeleven]

First bit of line 322 isn’t a sentence. Suggest

“the request’s trace, and takes two arguments.”

Also if `key` is in backticks, shouldn’t `value` be as well?

Maybe clarify if “number” means an integer, a real, or either?

[anthonyeleven]

Hate to quibble, but I think you added "of" instead of "or"

[yuvalif]

jenkins test make check

[cbodley]

don't we want to add this lua filter last so its data isn't transformed by compression or encryption? have you tested these combinations?

[yuvalif]

running lua on compressed and encrypted data won't be useful.
this is why i added it first in the "put" case.
if someone wants to encrypt or compress the after lua read it, there should not be any limitation.

anyway, will test to see that it works, and update the documentation accordingly

[cbodley]

running lua on compressed and encrypted data won't be useful.
this is why i added it first in the "put" case.

right, i just think you have it backwards. this code is adding wrapper filters around the object processor, so the filter added last is the one on the outside, so it sees the data first

[yuvalif]

what about the "get" case:
https://github.com/ceph/ceph/pull/46550/files#diff-319900fb50bdb02677039fb81949243b9c0e7d98690f6fddf35e6ca5d5d52b2cR2308 ?
here i added the lua filter last, should i switch it to be first (so it runs last)?

[cbodley]

the "get" case looks correct as-is. there we're wrapping filters around send_response_data(). you're adding the lua filter before decompress/decrypt filters, so your lua filter should see the data in plain-text. it's still worth testing to confirm

[yuvalif]

the "get" case was reading the compressed data.
i moved it to be first in 3ca1a48
so it is executed last

[cbodley]

it's probably worth noting that these scripts only see one chunk of data per execution, right?

[anthonyeleven]

You may then locate specific traces by using this attribute.

[anthonyeleven]

The function accepts one or two arguments: A string

[anthonyeleven]

s/has/have/
s/read only/read-only/

[anthonyeleven]

Docs lgtm, a couple of small requests but not enough to block approval.

[anthonyeleven]

Lua capitalized?

[anthonyeleven]

Period at the end?

[anthonyeleven]

I'm curious, how is this entropy value useful?

[yuvalif]

could be used to detect encryption of objects. added this to the doc

[anthonyeleven]

There's a second s/lua/Lua/ on this line :)

[yuvalif]

fixed (together with some more lower case "lau") - hope this is the last round :-)

[yuvalif]

jenkins test api

[yuvalif]

jenkins test make check

[yuvalif]

http://pulpito.front.sepia.ceph.com/yuvalif-2022-08-07_13:01:20-rgw:verify-wip-yuval-lua-filter-distro-default-smithi/
teuthology is passing with valgrind issue

• out of 24 failures, 22 are valgrind (the known boost/asio ones)
• one failure is "reached maximum tries (90) after waiting for 540 seconds"
• one failure is an selinux check: "SELinux denials found on ubuntu@smithi117.front.sepia.ceph.com"

[cbodley]

@yuvalif please run the full rgw suite with --subset ~1/3, there are important regression tests in the other subsuites!

[yuvalif]

@yuvalif please run the full rgw suite with --subset ~1/3, there are important regression tests in the other subsuites!

i ran with:
teuthology-suite --ceph-repo https://github.com/ceph/ceph-ci.git --subset 1/3 -p 75 -s rgw --ceph wip-yuval-lua-filter -m smithi
it is running 58 jobs, is this enough?

[yuvalif]

teuthology results: http://pulpito.front.sepia.ceph.com/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/

• valgrind issues
• "Cannot create secret" failure
• "multisite" is failing mostly on AssertionError: failed meta checkpoint for zone=test-zone2
  • one failure on rgw_multi.tests.test_bucket_cors
  • see: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/6972376/teuthology.log
• LC failure in: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/6972370/teuthology.log
• LC failure in: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/6972374/teuthology.log
• tempest failing in: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/6972380/teuthology.log
• "max retries" failure in: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-14_16:15:18-rgw-wip-yuval-lua-filter-distro-default-smithi/6972425/teuthology.log

[cbodley]

this broke the build on main. it looks like a conflict with a1e21d0 which changed the signature of read_script()

[cbodley]

it's not clear how we're supposed to get that LuaManager all the way into RGWGetObj/PutObj. in the meantime, i prepared a revert at #47612