Bug 2238814
| Summary: | [RFE][RGW][Notifications]: support cross tenant topic management to allow put bucket notifications from other tenant users | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Hemanth Sai <hmaheswa> |
| Component: | RGW | Assignee: | Ali Masarwa <Ali.Masarwa> |
| Status: | VERIFIED --- | QA Contact: | Manisha <mreddem> |
| Severity: | medium | Docs Contact: | Rivka Pollack <rpollack> |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | ceph-eng-bugs, cephqe-warriors, mreddem, rpollack, tserlin, ylifshit |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ceph-19.2.1-3.el9cp | Doc Type: | Enhancement |
| Doc Text: |
.New support for PUT bucket notifications from other tenant users
With this enhancement, there is added support for cross tenant topic management, allowing PUT bucket notifications from other tenant users. Cross tenant management includes creating, deleting, and modifying topic management.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2351689 | ||
this is also tracked upstream: https://tracker.ceph.com/issues/62783 fixing that should allow: * full topic management across tenants: modify/get/remove * usign topic in notifications of another tenants Merged PR to upstream |
Description of problem: [RFE][RGW]: support cross tenant topic management to allow put bucket notifications from other tenant users lets say we have two cross tenanted users tenantA:user1 and tenantB:user2 and topic1 and bkt1 are created through user1 put bucket notification to bkt1 from user2 is not allowed even after allowing user2 through bucket policy, if we use topic1 arn in the request the issue boils down to cross tenant topic access is not allowed currently. if we create topic2 through user2 and use topic2 arn in put bucket notifications request to bkt1, then it is allowed. It is the workaround currently. Version-Release number of selected component (if applicable): ceph version 18.2.0-27.el9cp How reproducible: always Steps to Reproduce: 1.deploy rhcs 7.0 ceph cluster 2.create cross tenanted users tenantA:user1 and tenantB:user2 3.create topic1 and bkt1 through user1 4.allow user2 to put bucket notifications to bkt1 using bucket policy {"Version": "2012-10-17", "Statement": [{"Sid": "Statement", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetBucketNotification", "s3:PutBucketNotification"], "Resource": "arn:aws:s3::tenantA:bkt1"}]} 5.put bucket notifications using user2 client with topic1 arn in the request using below code snippet import boto3 from botocore.handlers import validate_bucket_name tenant='tenantA' bucket='bkt1' client = boto3.client('s3', region_name='default', use_ssl=False, endpoint_url='http://localhost:8000', aws_access_key_id='user2accesskey', aws_secret_access_key='user2secretkey') # disabling bucket name validation to allow for the "tenant:bucket" format client.meta.events.unregister("before-parameter-build.s3", validate_bucket_name) TopicConfigurations = [ { "Id": "notif2", "TopicArn": "arn:aws:sns:default:tenantA:topic1", "Events": ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"], } ] response = client.put_bucket_notification_configuration(Bucket=f"{tenant}:{bucket}", NotificationConfiguration={"TopicConfigurations": TopicConfigurations}) print(response) Actual results: seeing no such key error for put bucket notification request botocore.errorfactory.NoSuchKey: An error occurred (NoSuchKey) when calling the PutBucketNotificationConfiguration operation: None Expected results: putbucket notification request is successful Additional info: test results are present in this doc: https://docs.google.com/document/d/1nXxBvpwmWWailwAQeV1fqhdCnIF-Vie7j0UfbIxQD-Y/edit?usp=sharing