New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: check for valid bucket/objects while initializing perms #48491
Conversation
@theanalyst this looks like something we'll want to backport, could you please open a tracker issue? |
|
src/rgw/rgw_op.cc
Outdated
if (op->get_type() != RGW_OP_CREATE_BUCKET && | ||
rgw::sal::Bucket::empty(s->bucket)) { | ||
return -ERR_NO_SUCH_BUCKET; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all of the verify jobs in https://pulpito.ceph.com/cbodley-2022-10-18_16:36:54-rgw-wip-cbodley-testing-distro-default-smithi/ failed during run-reshard.sh:
2022-10-18T17:57:56.641 INFO:tasks.workunit.client.0.smithi037.stderr:botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the ListBuckets operation: Unknown
i think we need to filter out RGW_OP_LIST_BUCKETS
here too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Valid point, I'll rework this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you please do some testing against some /admin APIs too? there's a new examples/rgw_admin_curl.sh script that helps send these requests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is helpful, I think I need to filter out all ops that use the service endpoint and don't need a bucket at all. I'll try this and update
f9a9b1a
to
527a01e
Compare
src/rgw/rgw_op.cc
Outdated
// TODO: Ideally this should be RGWOp const *, but get_type() isn't | ||
// const marked | ||
static bool rgw_is_service_op(RGWOp* op) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about is_service_op(RGWOpType op)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure much better actually
"ceph API tests" is showing some rgw failures that look related |
|
probably, but i don't know how. if all else fails, you're welcome to push temporary commits and debug through jenkins |
527a01e
to
27dbf89
Compare
I changed the approach to only deny on particular object requests for now, since it looks like there are at least a few ops in the admin/roles etc that don't expect a bucket. |
Since we use these objects later on, check that they're valid before proceeding, we also translate a 404 into 403 in case they ask for invalid bucket names Signed-off-by: Abhishek Lekshmanan <abhishek.l@cern.ch>
27dbf89
to
39eb2d3
Compare
can you help me understand how we get into these object ops with empty buckets? another issue related to these |
is it still possible to reproduce this one after the merge of #49141? |
Can we close this one? |
@dang , @cbodley , @theanalyst : I failed to notice discussion was still underway when I ran QA on this. I leave the decision to merge to y'all. I'm adding a DNM until you resolve. |
I should have added you, @adamemerson , to the above. Sorry! |
Closing this one, the Swift POST forms PR is already merged |
Since we use these objects later on, check that they're valid before proceeding
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows