ArbitCode
diff --git a/‎doc/radosgw/bucket_logging.rst‎
Lines changed: 148 additions & 0 deletions b/‎doc/radosgw/bucket_logging.rst‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎doc/radosgw/index.rst‎
Lines changed: 2 additions & 0 deletions b/‎doc/radosgw/index.rst‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎doc/radosgw/s3.rst‎
Lines changed: 2 additions & 0 deletions b/‎doc/radosgw/s3.rst‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎doc/radosgw/s3/bucketops.rst‎
Lines changed: 189 additions & 0 deletions b/‎doc/radosgw/s3/bucketops.rst‎
Lines changed: 189 additions & 0 deletions
@@ -0,0 +1,148 @@
+====================
+Bucket Logging
+====================
+
+.. versionadded:: T
+
+.. contents::
+
+Bucket logging provides a mechanism for logging all access to a bucket. The
+log data can be used to monitor bucket activity, detect unauthorized
+access, get insights into the bucket usage and use the logs as a journal for bucket changes.
+The log records are stored in objects in a separate bucket and can be analyzed later.
+Logging configuration is done at the bucket level and can be enabled or disabled at any time.
+The log bucket can accumulate logs from multiple buckets. It is recommended to configured 
+a different "prefix" for each bucket, so that the logs of different buckets will be stored
+in different objects in the log bucket.
+
+
+.. toctree::
+   :maxdepth: 1
+
+Logging Reliability
+-------------------
+For performance reasons, even though the log records are written to persistent storage, the log object will
+appear in the log bucket only after some configurable amount of time (or if the maximum object size of 128MB is reached).
+This time (in seconds) could be set per source bucket via a Ceph extension to the REST API,
+or globally via the `rgw_bucket_logging_obj_roll_time` configuration option. If not set, the default time is 5 minutes.
+Adding a log object to the log bucket is done "lazily", meaning, that if no more records are written to the object, it may
+remain outside of the log bucket even after the configured time has passed.
+
+Standard
+````````
+If logging type is set to "Standard" (the default) the log records are written to the log bucket after the bucket operation is completed.
+This means that there are the logging operation may fail, with no indication to he client.
+
+Journal
+```````
+If logging type is set to "Journal", the records are written to the log bucket before the bucket operation is completed. 
+This means that if the logging action fails, the operation will not be executed, and an error will be returned to the client.
+An exception to the above are "multi/delete" log records: if writing these log records fail, the operation continues and may still be successful.
+Note that it may happen that the log records were successfully written, but the bucket operation failed, since the logs are written
+before such a failure, there will be no indication for that in the log records. 
+
+
+Bucket Logging REST API
+-----------------------
+Detailed under: `Bucket Operations`_.
+
+
+Log Objects Key Format
+----------------------
+
+Simple
+``````
+has the following format:
+
+::
+
+  <prefix><year-month-day-hour-minute-second>-<16 bytes unique-id>
+
+For example:
+
+::
+
+  fish/2024-08-06-09-40-09-TI9ROKN05DD4HPQF
+
+Partitioned
+```````````
+has the following format:
+
+::
+
+  <prefix><bucket owner>/<source region>/<bucket name>/<year>/<month>/<day>/<year-month-day-hour-minute-second>-<16 bytes unique-id>
+
+For example:
+
+::
+
+  fish/testid//all-log/2024/08/06/2024-08-06-10-11-18-1HMU3UMWOJKNQJ0X
+
+Log Records
+~~~~~~~~~~~
+
+The log records are space separated string columns and have the following possible formats:
+
+Journal
+```````
+minimum amount of data used for journaling bucket changes (this is a Ceph extension).
+
+  - bucket owner (or dash if empty)
+  - bucket name (or dash if empty)
+  - time in the following format: ``[day/month/year:hour:minute:second timezone]``
+  - object key (or dash if empty)
+  - operation in the following format: ``WEBSITE/REST.<HTTP method>.<resource>``
+  - object size (or dash if empty)
+  - version id (dash if empty or question mark if unknown)
+  - eTag
+
+For example:
+
+::
+
+  testid fish [06/Aug/2024:09:40:09 +0000] myfile - REST.PUT.OBJECT 4cfdfc1f58e762d3e116787cb92fac60
+  testid fish [06/Aug/2024:09:40:28 +0000] myfile REST.DELETE.OBJECT 4cfdfc1f58e762d3e116787cb92fac60
+
+
+Standard
+````````
+based on `AWS Logging Record Format`_.
+  
+  - bucket owner (or dash if empty)
+  - bucket name (or dash if empty)
+  - time
+  - remote IP (not supported, always a dash)
+  - user or account (or dash if empty)
+  - request ID
+  - operation in the following format: ``WEBSITE/REST.<HTTP method>.<resource>``
+  - object key (or dash if empty)
+  - request URI in the following format: ``"<HTTP method> <URI> <HTTP version>"``
+  - HTTP status (or dash if zero). Note that in most cases log is written before the status is known
+  - error code (or dash if empty)
+  - bytes sent (or dash if zero)
+  - object size (or dash if zero)
+  - total time (not supported, always a dash)
+  - turnaround time (not supported, always a dash)
+  - referrer (not supported, always a dash)
+  - user agent (not supported, always a dash)
+  - version id (or dash if empty)
+  - host id taken from "x-amz-id-2" (or dash if empty)
+  - signature version (not supported, always a dash)
+  - cipher suite (not supported, always a dash)
+  - authentication type (not supported, always a dash)
+  - host header (or dash if empty)
+  - TLS version (not supported, always a dash)
+  - access point ARN (not supported, always a dash)
+  - ACL flag ("Yes" if the request is an ACL operation, otherwise dash)
+
+For example:
+
+::
+
+  testid fish [06/Aug/2024:09:30:25 +0000] - testid 9e369a15-5f43-4f07-b638-de920b22f91b.4179.15085270386962380710 REST.PUT.OBJECT myfile "PUT /fish/myfile HTTP/1.1" 200 - 512 512 - - - - - - - - - localhost - -
+  testid fish [06/Aug/2024:09:30:51 +0000] - testid 9e369a15-5f43-4f07-b638-de920b22f91b.4179.7046073853138417766 REST.GET.OBJECT myfile "GET /fish/myfile HTTP/1.1" 200 - - 512 - - - - - - - - - localhost - -
+  testid fish [06/Aug/2024:09:30:56 +0000] - testid 9e369a15-5f43-4f07-b638-de920b22f91b.4179.10723158448701085570 REST.DELETE.OBJECT myfile "DELETE /fish/myfile1 HTTP/1.1" 200 - - 512 - - - - - - - - - localhost - -
+
+ 
+.. _AWS Logging Record Format: https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html
+.. _Bucket Operations: ../s3/bucketops
@@ -89,3 +89,5 @@ Cluster with one API and then retrieve that data with the other API.
    Cloud Transition <cloud-transition>
    Metrics <metrics>
    UADK Acceleration for Compression <uadk-accel>
+   Bucket Logging <bucket_logging>
+
@@ -82,6 +82,8 @@ The following table describes the support status for current Amazon S3 functiona
 +---------------------------------+-----------------+----------------------------------------+
 | **Storage Class**               | Supported       | See :ref:`storage_classes`             |
 +---------------------------------+-----------------+----------------------------------------+
+| **Bucket Logging**              | Supported       |                                        |
++---------------------------------+-----------------+----------------------------------------+
 
 Unsupported Header Fields
 -------------------------
 
@@ -705,3 +705,192 @@ HTTP Response
 +---------------+-----------------------+----------------------------------------------------------+
 
 .. _S3 Notification Compatibility: ../../s3-notification-compatibility
+
+Enable Bucket Logging
+---------------------
+
+Enable logging for a bucket.
+
+Syntax
+~~~~~~
+
+::
+
+    PUT /{bucket}?logging HTTP/1.1
+
+
+Request Entities
+~~~~~~~~~~~~~~~~
+
+Parameters are XML encoded in the body of the request, in the following format:
+
+::
+
+  <BucketLoggingStatus xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+    <LoggingEnabled>
+      <TargetBucket>string</TargetBucket>
+      <TargetGrants>
+        <Grant>
+          <Grantee>
+            <DisplayName>string</DisplayName>
+            <EmailAddress>string</EmailAddress>
+            <ID>string</ID>
+            <xsi:type>string</xsi:type>
+            <URI>string</URI>
+          </Grantee>
+          <Permission>string</Permission>
+        </Grant>
+      </TargetGrants>
+      <TargetObjectKeyFormat>
+        <PartitionedPrefix>
+          <PartitionDateSource>DeliveryTime|EventTime</PartitionDateSource>
+        </PartitionedPrefix>
+        <SimplePrefix>
+        </SimplePrefix>
+      </TargetObjectKeyFormat>
+      <TargetPrefix>string</TargetPrefix>
+      <LoggingType>Standard|Journal</LoggingType>
+      <ObjectRollTime>integer</ObjectRollTime>
+    </LoggingEnabled>
+  </BucketLoggingStatus>
+
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| Name                          | Type      | Description                                                                          | Required |
++===============================+===========+======================================================================================+==========+
+| ``BucketLoggingStatus``       | Container | Enabling/Disabling logging configuration for the bucket.                             | Yes      |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``LoggingEnabled``            | Container | Holding the logging configuration for the bucket.                                    | Yes      |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``TargetBucket``              | String    | The bucket where the logs are stored. The log bucket cannot have bucket logging      | Yes      |
+|                               |           | enabled.                                                                             |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``TargetGrants``              | Container | Not supported. The owner of the log bucket is the owner of the log objects.          | No       |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``TargetObjectKeyFormat``     | Container | The format of the log object key. Contains either ``PartitionedPrefix`` or           | No       |
+|                               |           | ``SimplePrefix`` entities.                                                           |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``PartitionedPrefix``         | Container | Indicates a partitioned  log object key format. Note that ``PartitionDateSource``    | No       |
+|                               |           | is ignored and hardcoded as ``DeliveryTime``                                         |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``SimplePrefix``              | Container | Indicates a simple log object key format (default format)                            | No       |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``TargetPrefix``              | String    | The prefix for the log objects. Used in both formats. May be used to distinguish     | No       |
+|                               |           | between different source buckets writing log records to the same log bucket.         |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``LoggingType``               | String    | The type of logging. Valid values are:                                               | No       |
+|                               |           | ``Standard`` (default) all bucket operations are logged after being perfomed.        |          |
+|                               |           | The log record will contain all fields.                                              |          |
+|                               |           | ``Journal`` only PUT, COPY, MULTI/DELETE and MPU operations are logged.              |          |
+|                               |           | Will record the minimum subset of fields in the log record that is needed            |          |
+|                               |           | for journaling.                                                                      |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+| ``ObjectRollTime``            | Integer   | The time in seconds after which a new log object is created, and the previous log    | No       |
+|                               |           | object added to the log bucket. Default is 3600 seconds (1 hour).                    |          |
++-------------------------------+-----------+--------------------------------------------------------------------------------------+----------+
+
+
+HTTP Response
+~~~~~~~~~~~~~
+
++---------------+-----------------------+----------------------------------------------------------+
+| HTTP Status   | Status Code           | Description                                              |
++===============+=======================+==========================================================+
+| ``400``       | MalformedXML          | The XML is not well-formed                               |
++---------------+-----------------------+----------------------------------------------------------+
+| ``400``       | InvalidArgument       | Missing mandatory value or invalid value                 |
++---------------+-----------------------+----------------------------------------------------------+
+| ``404``       | NoSuchBucket          | The bucket does not exist                                |
++---------------+-----------------------+----------------------------------------------------------+
+
+
+Disable Bucket Logging
+----------------------
+
+Disable bucket logging from a bucket.
+
+Syntax
+~~~~~~
+
+::
+
+    PUT /{bucket}?logging HTTP/1.1
+
+
+Request Entities
+~~~~~~~~~~~~~~~~
+
+Parameters are XML encoded in the body of the request, in the following format:
+
+::
+
+  <BucketLoggingStatus xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+  </BucketLoggingStatus>
+
+
+HTTP Response
+~~~~~~~~~~~~~
+
++---------------+-----------------------+----------------------------------------------------------+
+| HTTP Status   | Status Code           | Description                                              |
++===============+=======================+==========================================================+
+| ``404``       | NoSuchBucket          | The bucket does not exist                                |
++---------------+-----------------------+----------------------------------------------------------+
+
+Get Bucket Logging
+------------------
+
+Get logging configured on a bucket.
+
+Syntax
+~~~~~~
+
+::
+
+    GET /{bucket}?logging HTTP/1.1 
+
+
+Response Entities
+~~~~~~~~~~~~~~~~~
+
+Response is XML encoded in the body of the request, in the following format:
+
+::
+
+  <BucketLoggingStatus xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+    <LoggingEnabled>
+      <TargetBucket>string</TargetBucket>
+      <TargetGrants>
+        <Grant>
+          <Grantee>
+            <DisplayName>string</DisplayName>
+            <EmailAddress>string</EmailAddress>
+            <ID>string</ID>
+            <xsi:type>string</xsi:type>
+            <URI>string</URI>
+          </Grantee>
+          <Permission>string</Permission>
+        </Grant>
+      </TargetGrants>
+      <TargetObjectKeyFormat>
+        <PartitionedPrefix>
+          <PartitionDateSource>DeliveryTime|EventTime</PartitionDateSource>
+        </PartitionedPrefix>
+        <SimplePrefix>
+        </SimplePrefix>
+      </TargetObjectKeyFormat>
+      <TargetPrefix>string</TargetPrefix>
+      <LoggingType>Standard|Journal</LoggingType>
+      <ObjectRollTime>integer</ObjectRollTime>
+    </LoggingEnabled>
+  </BucketLoggingStatus>
+
+
+HTTP Response
+~~~~~~~~~~~~~
+
++---------------+-----------------------+----------------------------------------------------------+
+| HTTP Status   | Status Code           | Description                                              |
++===============+=======================+==========================================================+
+| ``404``       | NoSuchBucket          | The bucket does not exist                                |
++---------------+-----------------------+----------------------------------------------------------+
+