Skip to content

Comments

rgw: revert account-related changes to get_iam_policy_from_attr()#59169

Merged
cbodley merged 2 commits intoceph:mainfrom
cbodley:wip-67464
Aug 14, 2024
Merged

rgw: revert account-related changes to get_iam_policy_from_attr()#59169
cbodley merged 2 commits intoceph:mainfrom
cbodley:wip-67464

Conversation

@cbodley
Copy link
Contributor

@cbodley cbodley commented Aug 12, 2024

while bucket ARNs in iam policies don't include account names, policy evaluation does need to differentiate between buckets in different tenant namespaces

when requests pass bucket/object ARNs into verify_bucket/object_permission(), those do include the bucket's tenant name. to match against those ARNs, we also need to pass the requested bucket's tenant name into get_iam_policy_from_attr()

Fixes: https://tracker.ceph.com/issues/67464

Show available Jenkins commands
  • jenkins retest this please
  • jenkins test classic perf
  • jenkins test crimson perf
  • jenkins test signed
  • jenkins test make check
  • jenkins test make check arm64
  • jenkins test submodules
  • jenkins test dashboard
  • jenkins test dashboard cephadm
  • jenkins test api
  • jenkins test docs
  • jenkins render docs
  • jenkins test ceph-volume all
  • jenkins test ceph-volume tox
  • jenkins test windows
  • jenkins test rook e2e

@cbodley cbodley requested a review from a team as a code owner August 12, 2024 13:54
@github-actions github-actions bot added the rgw label Aug 12, 2024
@cbodley
rgw: revert account-related changes to get_iam_policy_from_attr()
d7377da 
while bucket ARNs in iam policies don't include account names, policy
evaluation does need to differentiate between buckets in different
tenant namespaces

when requests pass bucket/object ARNs into
verify_bucket/object_permission(), those do include the bucket's tenant
name. to match against those ARNs, we also need to pass the requested
bucket's tenant name into get_iam_policy_from_attr()

Fixes: https://tracker.ceph.com/issues/67464

Signed-off-by: Casey Bodley <[email protected]>
@cbodley
Copy link
Contributor Author

cbodley commented Aug 12, 2024

the original commit was tested successfully by @pritha-srivastava in cbodley@706bb5d#commitcomment-145269321

the only change to that commit in this PR is the addition of a commit message

@cbodley
Copy link
Contributor Author

cbodley commented Aug 12, 2024

https://jenkins.ceph.com/job/ceph-pull-requests/141289/

ninja: build stopped: interrupted by user.
Terminated

@cbodley
Copy link
Contributor Author

cbodley commented Aug 12, 2024

jenkins test make check

@cbodley cbodley mentioned this pull request Aug 13, 2024
Merged
@cbodley
Copy link
Contributor Author

cbodley commented Aug 13, 2024

passed qa in https://pulpito.ceph.com/cbodley-2024-08-12_18:08:18-rgw-wip-67464-distro-default-smithi with rerun https://pulpito.ceph.com/cbodley-2024-08-13_12:28:23-rgw-wip-67464-distro-default-smithi/

i opened ceph/s3-tests#577 to fix the existing test case and add a similar test for a tenanted bucket. i started a new run in https://pulpito.ceph.com/cbodley-2024-08-13_15:09:16-rgw-wip-67464-distro-default-smithi/ against that s3-tests branch

@github-actions github-actions bot added the tests label Aug 13, 2024
@cbodley
Copy link
Contributor Author

cbodley commented Aug 14, 2024

passed qa in https://pulpito.ceph.com/cbodley-2024-08-13_21:30:19-rgw-wip-67464-distro-default-smithi/

s3tests_boto3/functional/test_s3.py::test_bucket_policy_different_tenant PASSED [ 81%]
s3tests_boto3/functional/test_s3.py::test_bucket_policy_tenanted_bucket PASSED [ 81%]

@cbodley cbodley merged commit 5000b23 into ceph:main Aug 14, 2024
@cbodley cbodley mentioned this pull request Aug 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pritha-srivastava pritha-srivastava pritha-srivastava approved these changes

Assignees

No one assigned

Labels

needs-qa rgw tests wip-cbodley-testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbodley @pritha-srivastava