squid: rgw: user accounts implementation #56863
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
make sure that tv_usec=41000 gets rendered as '.041Z' instead of '.41Z' Fixes: https://tracker.ceph.com/issues/64381 Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit efb2a91)
all identities can return a tenant. rgw ops should consult the auth identity for this instead of a rgw_user or rgw::sal::User Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit d82ff16)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4b8cea0)
for a common location that applies to all rest handlers that implement authorize() Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 9989a86)
initialize RGWAccessControlPolicy with ACLOwners from the auth identity Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a2b41a2)
`ACLOwner` contains both the user id and display name. the bucket index
needs both values for:
```
struct rgw_bucket_dir_entry_meta {
...
std::string owner;
std::string owner_display_name;
```
`RGWRados::Bucket::UpdateIndex::complete()` relied on the parsing of
`RGW_ATTR_ACL` to get those values. but object write operations already
had that information earlier in the call stack, so we might as well pass
them in directly
for other operations like the copy/rewrite/transition of existing objects,
we decode the owner from the source object's `RGW_ATTR_ACL`
the existing `owner` param was confusing, as it represented the bucket
owner for quota stats updates. this get renamed to `bucket_owner` inside
of `RGWRados`, and hidden from the outside. bucket stats are attributed to
`RGWBucketInfo::owner`, not the `ACLOwner`, so we use that instead of
`s->bucket_owner`
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 1d29b70)
Conflicts:
src/test/rgw/test_d4n_filter.cc removed on main
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit cac6066)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit f678c78)
initial design and prototype by Abhishek Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com> Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 59bbd65)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3f1cd1b)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 91a5885)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 6c834d6)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 07d5ed9)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit cce372d)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit e69ce01)
existing buckets and objects use `struct rgw_user` for the owner. with the addition of accounts, we need to be able to represent ownership by the account rather than its users add a `rgw_owner` variant that preserves the existing json encoding of `rgw_user` while adding a new representation for account ids Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 87a74f8)
ACL grants can now specify an account id for the CanonicalUser to grant access to the entire account. this is implemented only for LocalApplier Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 1698784)
is_owner_of() and is_admin_of() take rgw_owner instead of rgw_user so that identities associated with an account share ownership of that account's resources LocalApplier is the only Identity type that supports accounts, based on comparison with RGWUserInfo::account_id Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a1c675d)
use rgw_owner instead of rgw_user as a key in the quota cache stats. only fetch_stats_from_storage() and init_refresh() need to differentiate between user and account ids Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit f1835cd)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 9b6fe4a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a75c3ac)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit ba2566a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3ef1ab3)
move the persistent queue removal into remove_topic() where we have access to the topic metadata. avoid trying to remove the queue if it isn't enabled Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4c50ad6)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4bac81a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit bfae83c)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 64ac1de)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 63e164f)
a bucket's notification configuration may refer to topics from several different tenants or accounts. when publishing to a given topic, look in the correct namespace for each topic instead of defaulting to the requesting user's tenant namespace Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3a5af5f)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 43ca67b)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 24841fb)
new sns test cases are using this for topic names, but the '.' is not
allowed there:
> api_params = {'Name': 'test-client.0-n3bdgre5el2jk8v-606'}
> botocore.exceptions.ClientError: An error occurred (InvalidArgument) when calling the CreateTopic operation: Name must be made up of only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 39a2af5)
…pics Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4007284)
cbodley
force-pushed
the
wip-65467-squid
branch
from
964d48a
to
7fa7da2
Compare
|
passed qa in https://pulpito.ceph.com/cbodley-2024-04-12_23:23:14-rgw-wip-65467-squid-distro-default-smithi with rerun https://pulpito.ceph.com/cbodley-2024-04-15_03:19:26-rgw-wip-65467-squid-distro-default-smithi/ 2 notification jobs passed but "test_others" is consistently failing with the crash in https://tracker.ceph.com/issues/65337 multisite tests failing as usual. new test test_account_metadata_sync failed due to meta checkpoint timeout, but passes locally on this branch. squid still needs multisite fix from #56822 |
cbodley
requested review from
dang,
mattbenjamin,
adamemerson,
yuvalif and
smanjara
|
this ran against ceph/s3-tests#537. i verified that the new test cases from test_iam.py and test_sns.py ran and passed 👍 |
smanjara
approved these changes
Apr 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backport tracker: https://tracker.ceph.com/issues/65467
backport of #54333
parent tracker: https://tracker.ceph.com/issues/65466
this backport was staged using ceph-backport.sh version 16.0.0.6848
find the latest version at https://github.com/ceph/ceph/blob/main/src/script/ceph-backport.sh