rgw: check for valid bucket/objects while initializing perms #48491
Conversation
|
@theanalyst this looks like something we'll want to backport, could you please open a tracker issue? |
|
src/rgw/rgw_op.cc
Outdated
| if (op->get_type() != RGW_OP_CREATE_BUCKET && | ||
| rgw::sal::Bucket::empty(s->bucket)) { | ||
| return -ERR_NO_SUCH_BUCKET; |
There was a problem hiding this comment.
all of the verify jobs in https://pulpito.ceph.com/cbodley-2022-10-18_16:36:54-rgw-wip-cbodley-testing-distro-default-smithi/ failed during run-reshard.sh:
2022-10-18T17:57:56.641 INFO:tasks.workunit.client.0.smithi037.stderr:botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the ListBuckets operation: Unknown
i think we need to filter out RGW_OP_LIST_BUCKETS here too
There was a problem hiding this comment.
Valid point, I'll rework this!
There was a problem hiding this comment.
could you please do some testing against some /admin APIs too? there's a new examples/rgw_admin_curl.sh script that helps send these requests
There was a problem hiding this comment.
This is helpful, I think I need to filter out all ops that use the service endpoint and don't need a bucket at all. I'll try this and update
theanalyst
force-pushed
the
rgw-bucket-fixes
branch
from
f9a9b1a
to
527a01e
Compare
src/rgw/rgw_op.cc
Outdated
| // TODO: Ideally this should be RGWOp const *, but get_type() isn't | ||
| // const marked | ||
| static bool rgw_is_service_op(RGWOp* op) |
There was a problem hiding this comment.
how about is_service_op(RGWOpType op)?
There was a problem hiding this comment.
sure much better actually
|
"ceph API tests" is showing some rgw failures that look related |
|
probably, but i don't know how. if all else fails, you're welcome to push temporary commits and debug through jenkins |
theanalyst
force-pushed
the
rgw-bucket-fixes
branch
from
527a01e
to
27dbf89
Compare
|
I changed the approach to only deny on particular object requests for now, since it looks like there are at least a few ops in the admin/roles etc that don't expect a bucket. |
Since we use these objects later on, check that they're valid before proceeding, we also translate a 404 into 403 in case they ask for invalid bucket names Signed-off-by: Abhishek Lekshmanan <abhishek.l@cern.ch>
theanalyst
force-pushed
the
rgw-bucket-fixes
branch
from
27dbf89
to
39eb2d3
Compare
|
can you help me understand how we get into these object ops with empty buckets? another issue related to these |
|
is it still possible to reproduce this one after the merge of #49141? |
|
Can we close this one? |
|
@dang , @cbodley , @theanalyst : I failed to notice discussion was still underway when I ran QA on this. I leave the decision to merge to y'all. I'm adding a DNM until you resolve. |
I should have added you, @adamemerson , to the above. Sorry! |
|
Closing this one, the Swift POST forms PR is already merged |
Since we use these objects later on, check that they're valid before proceeding
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windows