Description of problem: [RFE][RGW]: support cross tenant topic management to allow put bucket notifications from other tenant users lets say we have two cross tenanted users tenantA:user1 and tenantB:user2 and topic1 and bkt1 are created through user1 put bucket notification to bkt1 from user2 is not allowed even after allowing user2 through bucket policy, if we use topic1 arn in the request the issue boils down to cross tenant topic access is not allowed currently. if we create topic2 through user2 and use topic2 arn in put bucket notifications request to bkt1, then it is allowed. It is the workaround currently. Version-Release number of selected component (if applicable): ceph version 18.2.0-27.el9cp How reproducible: always Steps to Reproduce: 1.deploy rhcs 7.0 ceph cluster 2.create cross tenanted users tenantA:user1 and tenantB:user2 3.create topic1 and bkt1 through user1 4.allow user2 to put bucket notifications to bkt1 using bucket policy {"Version": "2012-10-17", "Statement": [{"Sid": "Statement", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetBucketNotification", "s3:PutBucketNotification"], "Resource": "arn:aws:s3::tenantA:bkt1"}]} 5.put bucket notifications using user2 client with topic1 arn in the request using below code snippet import boto3 from botocore.handlers import validate_bucket_name tenant='tenantA' bucket='bkt1' client = boto3.client('s3', region_name='default', use_ssl=False, endpoint_url='http://localhost:8000', aws_access_key_id='user2accesskey', aws_secret_access_key='user2secretkey') # disabling bucket name validation to allow for the "tenant:bucket" format client.meta.events.unregister("before-parameter-build.s3", validate_bucket_name) TopicConfigurations = [ { "Id": "notif2", "TopicArn": "arn:aws:sns:default:tenantA:topic1", "Events": ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"], } ] response = client.put_bucket_notification_configuration(Bucket=f"{tenant}:{bucket}", NotificationConfiguration={"TopicConfigurations": TopicConfigurations}) print(response) Actual results: seeing no such key error for put bucket notification request botocore.errorfactory.NoSuchKey: An error occurred (NoSuchKey) when calling the PutBucketNotificationConfiguration operation: None Expected results: putbucket notification request is successful Additional info: test results are present in this doc: https://docs.google.com/document/d/1nXxBvpwmWWailwAQeV1fqhdCnIF-Vie7j0UfbIxQD-Y/edit?usp=sharing
this is also tracked upstream: https://tracker.ceph.com/issues/62783 fixing that should allow: * full topic management across tenants: modify/get/remove * usign topic in notifications of another tenants
Merged PR to upstream
https://github.com/ceph/ceph/pull/61565