Description of problem:
add support for configuring permission to allow a bucket being used as a target bucket for log delivery
Currently I can configure bucket logging on a bucket with target bucket as another user bucket also. without any access another users can use my bucket as target bucket for bucket logging. this is a security issue.


log snippet:


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 mb s3://hsm1-dest-bkt0
make_bucket: hsm1-dest-bkt0
[root@magna016 ~]#


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3api get-bucket-logging --bucket hsm-src-bkt0
{
    "LoggingEnabled": {
        "TargetBucket": "hsm1-dest-bkt0",
        "TargetPrefix": "hsm-src-bkt0-logs",
        "TargetObjectKeyFormat": {
            "SimplePrefix": {}
        },
        "ObjectRollTime": 120,
        "LoggingType": "Journal",
        "RecordsBatchSize": 0
    }
}
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj4
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj4                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj5
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj5                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj6
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj6                   
[root@magna016 ~]# 
[root@magna016 ~]# radosgw-admin bucket logging flush --bucket hsm-src-bkt0
flushed pending logging object 'hsm-src-bkt0-logs2025-02-12-07-47-46-9PJRX3F043TMUNO8' to target bucket 'hsm1-dest-bkt0'
[root@magna016 ~]# 


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls
2025-02-12 07:45:38 hsm1-dest-bkt0
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls s3://hsm1-dest-bkt0
2025-02-12 07:47:46        318 hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 cp s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
download: s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH to ./hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# 
[root@magna016 ~]# cat hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
hsm hsm-src-bkt0 [12/Feb/2025:07:47:04 +0000] obj4 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:07 +0000] obj5 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:10 +0000] obj6 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
[root@magna016 ~]# 




Version-Release number of selected component (if applicable):
ceph version 19.2.0-53.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a user (user1) and create a bucket (u1_bkt1)
2.create another user (user2) and create a bucket under it (u2_bkt2)
3.put-bucket-logging on u1_bkt1 with target bucket as u2_bkt1. upload few objects into the bucket u1_bkt1, after some time we observe the log object is delivered to u2_bkt1. as we dont have any method to configure permission to allow/deny a bucket being used as target bucket by allowed/denied users, any user can use any user bucket as target bucket.

Actual results:
no permission check to deliver log object to target bucket

Expected results:
expected there should be some configuration settings for log object delivery

Additional info:
logs: https://docs.google.com/document/d/1R9Qol5tNXwNXFQJLpagUdBSyNp7U11YJR67aym_thvg/edit?tab=t.ojj9k1r0ng0n#heading=h.rk3mhpdppc93