When run make check(arm64) on omani series servers, eg.
https://jenkins.ceph.com/job/ceph-pull-requests-arm64/54751/.
Shows:
python: timeout after 30 seconds
INFO root:call_wrappers.py:284 Non-zero exit code 124 from /home/jenkins-build/build/workspace/ceph-pull-requests-arm64/src/cephadm/.tox/py3/bin/python -c for i in range(1000000): print(i, flush=True)
Fixes: https://tracker.ceph.com/issues/65355
Signed-off-by: Rongqi Sun <sunrongqi@huawei.com>
mgr/cephadm: make enable_monitor_client configurable for nvmeof
Reviewed-by: Ernesto Puerta <epuertat@redhat.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
new sns test cases are using this for topic names, but the '.' is not
allowed there:
> api_params = {'Name': 'test-client.0-n3bdgre5el2jk8v-606'}
> botocore.exceptions.ClientError: An error occurred (InvalidArgument) when calling the CreateTopic operation: Name must be made up of only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens
Signed-off-by: Casey Bodley <cbodley@redhat.com>
a bucket's notification configuration may refer to topics from several
different tenants or accounts. when publishing to a given topic, look in
the correct namespace for each topic instead of defaulting to the
requesting user's tenant namespace
Signed-off-by: Casey Bodley <cbodley@redhat.com>
move the persistent queue removal into remove_topic() where we have
access to the topic metadata. avoid trying to remove the queue if it
isn't enabled
Signed-off-by: Casey Bodley <cbodley@redhat.com>
non-account users now consult identity policies with
verify_user_permission() when the topic doesn't exist
account users now consult topic policy when it does exist
Signed-off-by: Casey Bodley <cbodley@redhat.com>
this unordered_set was not static, so we reinitialized it on every call
replace with a constexpr array of string_views so we can search through
sequential memory that's laid out at compile time
Signed-off-by: Casey Bodley <cbodley@redhat.com>
accounts can use topic policy to grant sns:Publish permissions to other
accounts. the PutBucketNotification op should expect TopicArns from
other accounts. the account name from each TopicArn should be used as
the 'tenant' argument for RGWPubSub's constructor so we look for the
topic in the right namespace
Signed-off-by: Casey Bodley <cbodley@redhat.com>
for account users, CreateTopic and ListTopics permissions come from
identity policy alone, ignoring the ownership/policy of existing topics
Signed-off-by: Casey Bodley <cbodley@redhat.com>
RGWPubSub provides topic namespace isolation for tenants by adding
prefixes to rados object names and topic metadata keys. accounts use
this the same way
Signed-off-by: Casey Bodley <cbodley@redhat.com>
refactor verify_topic_owner_or_policy() to share the same interface
as similar functions like verify_user/bucket/object_permission()
from rgw_common.cc
in addition to the topic resource policy, this now also consults iam
identity policies like user, group, or role policy
for account users, this now implements cross-account policy evaluation.
this only comes into play for sns:Publish permissions though, because
the topics themselves are scoped to the account
Signed-off-by: Casey Bodley <cbodley@redhat.com>
verify_permission() should do permission checks and nothing else!
admin/system users ignore errors from verify_permission() and go on to
call execute() regardless. that means that execute() can't rely on any
initialization that happened during verify_permission(), at risk of
crashing on admin/system requests. it also means that any permission
checks in execute() won't get overridden for admin/system users,
breaking their superuser access
by moving all parameter validation and initialization into
init_processing(), we can prepare all the state that verify_permission()
will need to do it's thing
Signed-off-by: Casey Bodley <cbodley@redhat.com>
parameter validation errors should be returned to the client instead of
written to the rgw log
also raises the log level for lots of error messages. very few of them
should require admin attention
Signed-off-by: Casey Bodley <cbodley@redhat.com>
s->bucket is already initialized during rgw_build_bucket_policies(),
called from RGWHandler::do_init_permissions()
Signed-off-by: Casey Bodley <cbodley@redhat.com>
makes it much easier to debug authorization issues when you can see
exactly which policies led to success/failure
Signed-off-by: Casey Bodley <cbodley@redhat.com>
account root users were not linked to the account's user index because
they're not visible to iam apis like ListUsers
but now that 'account rm' is prevented from deleting the account while
users are still present, we want account root users to prevent deletion
too
add root users back to the account user index, but filter them out of
the iam user apis
Signed-off-by: Casey Bodley <cbodley@redhat.com>
now that all identities store an optional account, expose that to the
rest of rgw with get_account(). this cleans up lots of code that
otherwise has to deal with the rgw_owner variant
Signed-off-by: Casey Bodley <cbodley@redhat.com>
iam apis have specific requirements for the UserName field. enforce
these requirements for 'user create' and 'user modify' admin ops for
account users
Signed-off-by: Casey Bodley <cbodley@redhat.com>
several object operations like PutObject, DeleteObject, etc were handling
policy evaluation manually instead of using the helper functions like
verify_user/bucket/object_permission(), so were missing the cross-policy
evaluation rules for account users
these now call the new 'custom arn' overload of verify_bucket_permission()
for equivalent functionality
the eval_identity_or_session_policies() function is no longer exposed by
rgw_common.h to prevent other ops from adding new logic that doesn't
handle cross-account access
Signed-off-by: Casey Bodley <cbodley@redhat.com>
