Bug 1890843
Summary: | [rgw] Objects with S3 Object Lock (WORM) getting overwritten | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Deepu K S <dkochuka> |
Component: | RGW | Assignee: | Matt Benjamin (redhat) <mbenjamin> |
Status: | CLOSED ERRATA | QA Contact: | Tejas <tchandra> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.1 | CC: | cbodley, ceph-eng-bugs, gsitlani, kbader, kdreyer, mbenjamin, mmuench, sweil, tchandra, tserlin, vereddy |
Target Milestone: | --- | ||
Target Release: | 5.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ceph-16.1.0-486.el8cp | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-30 08:26:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1797784 |
Description
Deepu K S
2020-10-23 03:34:31 UTC
Below are the test results done using aws client: ceph version 14.2.8-89.el8cp (9ab115d618c72e7d9227441ec25ceb1487c76fb8) nautilus (stable) [admin@admin-node object-lock-testing]$ ls -l total 84480 -rw-rw-r--. 1 admin admin 5242880 Sep 22 14:50 compliance-test-orig.dd -rw-rw-r--. 1 admin admin 52428800 Sep 22 14:49 compliance-test-replace.dd -rw-rw-r--. 1 admin admin 2621440 Sep 22 14:49 legal-test-orig.dd -rw-rw-r--. 1 admin admin 26214400 Sep 22 14:49 legal-test-replace.dd 1. Created a bucket with object lock enabled. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api create-bucket --bucket object-lock-test-bucket --object-lock-enabled-for-bucket [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api list-buckets { "Buckets": [ { "Name": "object-lock-test-bucket", "CreationDate": "2020-09-22T19:04:15.130Z" } ], "Owner": { "DisplayName": "S3 Operator", "ID": "operator" } } 2. Setting up the Bucket Retention mode for the bucket. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api put-object-lock-configuration --bucket object-lock-test-bucket --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 1 }}}' [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api get-object-lock-configuration --bucket object-lock-test-bucket { "ObjectLockConfiguration": { "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 1 } } } } 3. Put an object with Retention:COMPLIANCE mode and retention period of 1 day. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api put-object --bucket object-lock-test-bucket --object-lock-mode COMPLIANCE --object-lock-retain-until-date "2020-09-24" --key compliance-upload --body compliance-test-orig.dd { "ETag": "\"2b1dda510bdfe6612d0b894136ffd834\"", "VersionId": "OZme5xAU6wwXzp1Ons1NH1to4nrY38h" } [admin@admin-node object-lock-testing]$ s3cmd ls s3://object-lock-test-bucket/ 2020-09-22 19:09 5242880 s3://object-lock-test-bucket/compliance-upload 4. Replace the above object with another file and same key value as normal upload. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api put-object --bucket object-lock-test-bucket --key compliance-upload --body compliance-test-replace.dd { "ETag": "\"e895015ad1c474fbb8ed9d2f65a35ee1\"", "VersionId": "2nzrinZVaNmZcz6YPhgbvv.lm9VtIvI" } [admin@admin-node object-lock-testing]$ s3cmd ls s3://object-lock-test-bucket/ 2020-09-22 19:17 52428800 s3://object-lock-test-bucket/compliance-upload The object is getting overwritten. 5. Same test done with Legal hold enabled. Put an object with legal hold set on it. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api put-object --bucket object-lock-test-bucket --object-lock-legal-hold-status ON --key legal-upload --body legal-test-orig.dd { "ETag": "\"a3459175525a9779fe72fc044a26b2a8\"", "VersionId": "QYYK-aJEcNiKSBFMDZNnr.eiwzdNJX6" } [admin@admin-node object-lock-testing]$ s3cmd ls s3://object-lock-test-bucket/ 2020-09-22 19:17 52428800 s3://object-lock-test-bucket/compliance-upload 2020-09-22 19:18 2621440 s3://object-lock-test-bucket/legal-upload 6. Replace it with a normal object. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api put-object --bucket object-lock-test-bucket --key legal-upload --body legal-test-replace.dd { "ETag": "\"9bc00415cabaa61a82a01cc303cde0bd\"", "VersionId": "mzvTqizgy474DOt73Ml2QFJ8MJ-pBNH" } [admin@admin-node object-lock-testing]$ s3cmd ls s3://object-lock-test-bucket/ 2020-09-22 19:17 52428800 s3://object-lock-test-bucket/compliance-upload 2020-09-22 19:19 26214400 s3://object-lock-test-bucket/legal-upload The file is seen as overwritten. [admin@admin-node object-lock-testing]$ aws --endpoint=http://rgw-node.test.example.com:8080 s3api list-objects --bucket object-lock-test-bucket { "Contents": [ { "Key": "compliance-upload", "LastModified": "2020-09-22T19:17:33.323Z", "ETag": "\"e895015ad1c474fbb8ed9d2f65a35ee1\"", "Size": 52428800, "StorageClass": "STANDARD", "Owner": { "DisplayName": "S3 Operator", "ID": "operator" } }, { "Key": "legal-upload", "LastModified": "2020-09-22T19:19:49.903Z", "ETag": "\"9bc00415cabaa61a82a01cc303cde0bd\"", "Size": 26214400, "StorageClass": "STANDARD", "Owner": { "DisplayName": "S3 Operator", "ID": "operator" } } ] } 7. The objects gets overwritten and can be deleted even with other clients such as s3cmd or aws s3api. In my case, I was able to delete even the first version of the object. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3294 |