Merge pull request ceph#61433 from smanjara/wip-fix-tenant-replication

rgw/multisite: fix forwarded requests for tenanted buckets

Reviewed-by: Casey Bodley <[email protected]>

Author: ivancich

src/rgw/rgw_auth_filters.h

@@ -238,6 +238,7 @@ class SysReqApplier : public DecoratedApplier<T> {
   const RGWHTTPArgs& args;
   mutable boost::tribool is_system;
   mutable std::optional<ACLOwner> effective_owner;
+  mutable std::optional<std::string> effective_tenant;
 
 public:
   template <typename U>
@@ -262,6 +263,14 @@ class SysReqApplier : public DecoratedApplier<T> {
     }
     return DecoratedApplier<T>::get_aclowner();
   }
+
+  const std::string& get_tenant() const override {
+    if (effective_tenant) {
+      return *effective_tenant;
+    }
+    return DecoratedApplier<T>::get_tenant();
+  }
+
 };
 
 template <typename T>
@@ -287,6 +296,7 @@ auto SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp) const -> st
     std::string str = args.sys_get(RGW_SYS_PARAM_PREFIX "uid");
     if (!str.empty()) {
       effective_owner.emplace();
+
       effective_owner->id = parse_owner(str);
 
       if (const auto* uid = std::get_if<rgw_user>(&effective_owner->id); uid) {
@@ -296,7 +306,17 @@ auto SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp) const -> st
           throw -EACCES;
         }
         effective_owner->display_name = user->get_display_name();
-      }
+        effective_tenant = uid->tenant;
+      } else if (const auto* id = std::get_if<rgw_account_id>(&effective_owner->id); id) {
+        RGWAccountInfo info;
+        rgw::sal::Attrs attrs;
+        RGWObjVersionTracker objv;
+        int r = driver->load_account_by_id(dpp, null_yield, *id, info, attrs, objv);
+        if (r < 0) {
+          throw -EACCES;
+        }
+        effective_tenant = info.tenant;
+     }
     }
   }
   return user;

src/test/rgw/rgw_multi/tests.py

@@ -586,6 +586,50 @@ def test_bucket_create():
     for zone in zonegroup_conns.zones:
         assert check_all_buckets_exist(zone, buckets)
 
+def test_bucket_create_with_tenant():
+
+    ''' create a bucket from secondary zone under tenant namespace. check if it successfully syncs
+        under the same namespace'''
+
+    zonegroup = realm.master_zonegroup()
+    zonegroup_conns = ZonegroupConns(zonegroup)
+    primary = zonegroup_conns.rw_zones[0]
+    secondary = zonegroup_conns.rw_zones[1]
+
+    access_key = 'abcd'
+    secret_key = 'efgh'
+    tenant = 'testx'
+    uid = 'test'
+
+    tenant_secondary_conn = boto.s3.connection.S3Connection(aws_access_key_id=access_key,
+                                aws_secret_access_key=secret_key,
+                                is_secure=False,
+                                port=secondary.zone.gateways[0].port,
+                                host=secondary.zone.gateways[0].host,
+                                calling_format='boto.s3.connection.OrdinaryCallingFormat')
+
+    tenant_primary_conn = boto.s3.connection.S3Connection(aws_access_key_id=access_key,
+                                aws_secret_access_key=secret_key,
+                                is_secure=False,
+                                port=primary.zone.gateways[0].port,
+                                host=primary.zone.gateways[0].host,
+                                calling_format='boto.s3.connection.OrdinaryCallingFormat')
+
+    cmd = ['user', 'create', '--tenant', tenant, '--uid', uid, '--access-key', access_key, '--secret-key', secret_key, '--display-name', 'tenanted-user']
+    primary.zone.cluster.admin(cmd)
+    zonegroup_meta_checkpoint(zonegroup)
+    try:
+        bucket = tenant_secondary_conn.create_bucket('tenanted-bucket')
+        zonegroup_meta_checkpoint(zonegroup)
+        assert tenant_primary_conn.get_bucket(bucket.name)
+        log.info("bucket exists in tenant namespace")
+        e = assert_raises(boto.exception.S3ResponseError, primary.get_bucket, bucket.name)
+        assert e.error_code == 'NoSuchBucket'
+        log.info("bucket does not exist in default user namespace")
+    finally:
+        cmd = ['user', 'rm', '--tenant', tenant, '--uid', uid, '--purge-data']
+        primary.zone.cluster.admin(cmd)
+
 def test_bucket_recreate():
     zonegroup = realm.master_zonegroup()
     zonegroup_conns = ZonegroupConns(zonegroup)