New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
squid: rgw: user accounts implementation #56863
Conversation
|
make sure that tv_usec=41000 gets rendered as '.041Z' instead of '.41Z' Fixes: https://tracker.ceph.com/issues/64381 Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit efb2a91)
all identities can return a tenant. rgw ops should consult the auth identity for this instead of a rgw_user or rgw::sal::User Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit d82ff16)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4b8cea0)
for a common location that applies to all rest handlers that implement authorize() Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 9989a86)
initialize RGWAccessControlPolicy with ACLOwners from the auth identity Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a2b41a2)
`ACLOwner` contains both the user id and display name. the bucket index needs both values for: ``` struct rgw_bucket_dir_entry_meta { ... std::string owner; std::string owner_display_name; ``` `RGWRados::Bucket::UpdateIndex::complete()` relied on the parsing of `RGW_ATTR_ACL` to get those values. but object write operations already had that information earlier in the call stack, so we might as well pass them in directly for other operations like the copy/rewrite/transition of existing objects, we decode the owner from the source object's `RGW_ATTR_ACL` the existing `owner` param was confusing, as it represented the bucket owner for quota stats updates. this get renamed to `bucket_owner` inside of `RGWRados`, and hidden from the outside. bucket stats are attributed to `RGWBucketInfo::owner`, not the `ACLOwner`, so we use that instead of `s->bucket_owner` Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 1d29b70) Conflicts: src/test/rgw/test_d4n_filter.cc removed on main
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit cac6066)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit f678c78)
initial design and prototype by Abhishek Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com> Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 59bbd65)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3f1cd1b)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 91a5885)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 6c834d6)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 07d5ed9)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit cce372d)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit e69ce01)
existing buckets and objects use `struct rgw_user` for the owner. with the addition of accounts, we need to be able to represent ownership by the account rather than its users add a `rgw_owner` variant that preserves the existing json encoding of `rgw_user` while adding a new representation for account ids Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 87a74f8)
ACL grants can now specify an account id for the CanonicalUser to grant access to the entire account. this is implemented only for LocalApplier Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 1698784)
is_owner_of() and is_admin_of() take rgw_owner instead of rgw_user so that identities associated with an account share ownership of that account's resources LocalApplier is the only Identity type that supports accounts, based on comparison with RGWUserInfo::account_id Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a1c675d)
use rgw_owner instead of rgw_user as a key in the quota cache stats. only fetch_stats_from_storage() and init_refresh() need to differentiate between user and account ids Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit f1835cd)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 9b6fe4a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit a75c3ac)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit ba2566a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3ef1ab3)
move the persistent queue removal into remove_topic() where we have access to the topic metadata. avoid trying to remove the queue if it isn't enabled Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4c50ad6)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4bac81a)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit bfae83c)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 64ac1de)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 63e164f)
a bucket's notification configuration may refer to topics from several different tenants or accounts. when publishing to a given topic, look in the correct namespace for each topic instead of defaulting to the requesting user's tenant namespace Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 3a5af5f)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 43ca67b)
Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 24841fb)
new sns test cases are using this for topic names, but the '.' is not allowed there: > api_params = {'Name': 'test-client.0-n3bdgre5el2jk8v-606'} > botocore.exceptions.ClientError: An error occurred (InvalidArgument) when calling the CreateTopic operation: Name must be made up of only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 39a2af5)
…pics Signed-off-by: Casey Bodley <cbodley@redhat.com> (cherry picked from commit 4007284)
964d48a
to
7fa7da2
Compare
passed qa in https://pulpito.ceph.com/cbodley-2024-04-12_23:23:14-rgw-wip-65467-squid-distro-default-smithi with rerun https://pulpito.ceph.com/cbodley-2024-04-15_03:19:26-rgw-wip-65467-squid-distro-default-smithi/ 2 notification jobs passed but "test_others" is consistently failing with the crash in https://tracker.ceph.com/issues/65337 multisite tests failing as usual. new test test_account_metadata_sync failed due to meta checkpoint timeout, but passes locally on this branch. squid still needs multisite fix from #56822 |
this ran against ceph/s3-tests#537. i verified that the new test cases from test_iam.py and test_sns.py ran and passed 👍 |
backport tracker: https://tracker.ceph.com/issues/65467
backport of #54333
parent tracker: https://tracker.ceph.com/issues/65466
this backport was staged using ceph-backport.sh version 16.0.0.6848
find the latest version at https://github.com/ceph/ceph/blob/main/src/script/ceph-backport.sh