Skip to content

Commit b633b6e

Browse files
yuvalifyuvalif
committed
rgw/logging: use bucket policy for logging
verifying that there is policy in place to allow the source bucket to log to the target bucket. following: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html additional changes: * verify that: * only the bucket owner can enable/disable bucket logging on the bucket * src and log bucket are in the same zonegroup * log bucket does not have "requester_pays" * restricted log bucket definitions don't change * add owner's display name to the commited object * unify bucket names in debug logs Signed-off-by: Yuval Lifshitz <[email protected]>
1 parent 7869df8 commit b633b6e

File tree

4 files changed

+346
-214
lines changed

4 files changed

+346
-214
lines changed

src/rgw/driver/rados/rgw_sal_rados.cc

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1044,7 +1044,7 @@ int RadosBucket::get_logging_object_name(std::string& obj_name,
10441044
rgw_pool data_pool;
10451045
const auto obj_name_oid = bucketlogging::object_name_oid(this, prefix);
10461046
if (!store->getRados()->get_obj_data_pool(get_placement_rule(), rgw_obj{get_key(), obj_name_oid}, &data_pool)) {
1047-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1047+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
10481048
"' when getting logging object name" << dendl;
10491049
return -EIO;
10501050
}
@@ -1060,6 +1060,10 @@ int RadosBucket::get_logging_object_name(std::string& obj_name,
10601060
nullptr,
10611061
nullptr);
10621062
if (ret < 0) {
1063+
if (ret == -ENOENT) {
1064+
ldpp_dout(dpp, 20) << "INFO: logging object name '" << obj_name_oid << "' not found. ret = " << ret << dendl;
1065+
return ret;
1066+
}
10631067
ldpp_dout(dpp, 1) << "ERROR: failed to get logging object name from '" << obj_name_oid << "'. ret = " << ret << dendl;
10641068
return ret;
10651069
}
@@ -1076,7 +1080,7 @@ int RadosBucket::set_logging_object_name(const std::string& obj_name,
10761080
rgw_pool data_pool;
10771081
const auto obj_name_oid = bucketlogging::object_name_oid(this, prefix);
10781082
if (!store->getRados()->get_obj_data_pool(get_placement_rule(), rgw_obj{get_key(), obj_name_oid}, &data_pool)) {
1079-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1083+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
10801084
"' when setting logging object name" << dendl;
10811085
return -EIO;
10821086
}
@@ -1108,7 +1112,7 @@ int RadosBucket::remove_logging_object_name(const std::string& prefix,
11081112
rgw_pool data_pool;
11091113
const auto obj_name_oid = bucketlogging::object_name_oid(this, prefix);
11101114
if (!store->getRados()->get_obj_data_pool(get_placement_rule(), rgw_obj{get_key(), obj_name_oid}, &data_pool)) {
1111-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1115+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
11121116
"' when setting logging object name" << dendl;
11131117
return -EIO;
11141118
}
@@ -1131,7 +1135,7 @@ int RadosBucket::remove_logging_object(const std::string& obj_name, optional_yie
11311135
const auto placement_rule = get_placement_rule();
11321136

11331137
if (!store->getRados()->get_obj_data_pool(placement_rule, head_obj, &data_pool)) {
1134-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1138+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
11351139
"' when deleting logging object" << dendl;
11361140
return -EIO;
11371141
}
@@ -1150,8 +1154,8 @@ int RadosBucket::commit_logging_object(const std::string& obj_name, optional_yie
11501154
const auto placement_rule = get_placement_rule();
11511155

11521156
if (!store->getRados()->get_obj_data_pool(placement_rule, head_obj, &data_pool)) {
1153-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1154-
"' when comitting logging object" << dendl;
1157+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
1158+
"' when committing logging object" << dendl;
11551159
return -EIO;
11561160
}
11571161

@@ -1169,7 +1173,7 @@ int RadosBucket::commit_logging_object(const std::string& obj_name, optional_yie
11691173
dpp,
11701174
&obj_attrs,
11711175
nullptr); ret < 0 && ret != -ENOENT) {
1172-
ldpp_dout(dpp, 1) << "ERROR: failed to read logging data when comitting object '" << temp_obj_name
1176+
ldpp_dout(dpp, 1) << "ERROR: failed to read logging data when committing object '" << temp_obj_name
11731177
<< ". error: " << ret << dendl;
11741178
return ret;
11751179
} else if (ret == -ENOENT) {
@@ -1188,13 +1192,13 @@ int RadosBucket::commit_logging_object(const std::string& obj_name, optional_yie
11881192
nullptr, // no special placment for tail
11891193
get_key(),
11901194
head_obj); ret < 0) {
1191-
ldpp_dout(dpp, 1) << "ERROR: failed to create manifest when comitting logging object. error: " <<
1195+
ldpp_dout(dpp, 1) << "ERROR: failed to create manifest when committing logging object. error: " <<
11921196
ret << dendl;
11931197
return ret;
11941198
}
11951199

11961200
if (const auto ret = manifest_gen.create_next(size); ret < 0) {
1197-
ldpp_dout(dpp, 1) << "ERROR: failed to add object to manifest when comitting logging object. error: " <<
1201+
ldpp_dout(dpp, 1) << "ERROR: failed to add object to manifest when committing logging object. error: " <<
11981202
ret << dendl;
11991203
return ret;
12001204
}
@@ -1224,7 +1228,10 @@ int RadosBucket::commit_logging_object(const std::string& obj_name, optional_yie
12241228
// TODO: head_obj_wop.meta.ptag
12251229
// the owner of the logging object is the bucket owner
12261230
// not the user that wrote the log that triggered the commit
1227-
const ACLOwner owner{bucket_info.owner, ""}; // TODO: missing display name
1231+
ACLOwner owner{bucket_info.owner, ""};
1232+
if (auto i = get_attrs().find(RGW_ATTR_ACL); i != get_attrs().end()) {
1233+
std::ignore = store->getRados()->decode_policy(dpp, i->second, &owner);
1234+
}
12281235
head_obj_wop.meta.owner = owner;
12291236
const auto etag = TOPNSPC::crypto::digest<TOPNSPC::crypto::MD5>(bl_data).to_str();
12301237
bufferlist bl_etag;
@@ -1234,7 +1241,7 @@ int RadosBucket::commit_logging_object(const std::string& obj_name, optional_yie
12341241
jspan_context trace{false, false};
12351242
if (const auto ret = head_obj_wop.write_meta(0, size, obj_attrs, rctx, trace); ret < 0) {
12361243
ldpp_dout(dpp, 1) << "ERROR: failed to commit logging object '" << temp_obj_name <<
1237-
"' to bucket id '" << get_info().bucket <<"'. error: " << ret << dendl;
1244+
"' to bucket '" << get_key() <<"'. error: " << ret << dendl;
12381245
return ret;
12391246
}
12401247
ldpp_dout(dpp, 20) << "INFO: committed logging object '" << temp_obj_name <<
@@ -1272,7 +1279,7 @@ int RadosBucket::write_logging_object(const std::string& obj_name,
12721279
rgw_pool data_pool;
12731280
rgw_obj obj{get_key(), obj_name};
12741281
if (!store->getRados()->get_obj_data_pool(get_placement_rule(), obj, &data_pool)) {
1275-
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_name() <<
1282+
ldpp_dout(dpp, 1) << "ERROR: failed to get data pool for bucket '" << get_key() <<
12761283
"' when writing logging object" << dendl;
12771284
return -EIO;
12781285
}

0 commit comments

Comments
 (0)