2025-01-14T02:57:17.224Z | <Zac Dover> @Paulo Castro, <https://github.com/ceph/ceph/pull/61072> is more than just a docs update. Only 5a886ee6ce9e55e9f66da6cff45945fba354bd69 is a docs update. The other three commits are changes to tests and a flake8 change. If you think it's okay, I'll squash these four commits together and merge and backport them. Let me know what you think. |
2025-01-14T06:07:41.348Z | <Yu Kun> Good evening, everyone. in the new release squid, I found it introduced user account in rgw to enhance the multi-tenants support. But it didn't explain how to work with the old multi-tenant ways with --tenant. Is there any one how can explain? |
2025-01-14T06:12:47.602Z | <Yu Kun> In Release Squid, RGW support managed policy, but looks like it only support predefined ones, no custom ones? Is there any reason for this limitation? |
2025-01-14T06:14:23.513Z | <Yu Kun> In Release Squid, RGW support user account, and can add users into a user account. I saw there is a note in the doc, which said once a user is added into an account, it is permenent and canot be removed from the account. Why this limitation needed? |
2025-01-14T09:21:23.715Z | <Paulo Castro> Hi Zac.
That is ok. |
2025-01-14T09:22:14.816Z | <Zac Dover> @Paulo Castro, Cool. I'll get this squashed, merged, and backported so that it appears on [docs.ceph.com](http://docs.ceph.com). The PRs will be raised by the top of the hour. |
2025-01-14T09:22:44.706Z | <Paulo Castro> Thank for looking. |
2025-01-14T09:22:48.740Z | <Paulo Castro> Thanks for looking. |
2025-01-14T09:22:59.551Z | <Zac Dover> Of course. It's my job. |
2025-01-14T09:31:07.647Z | <Zac Dover> @Paulo Castro, The dashboard tests are still failing on <https://github.com/ceph/ceph/pull/61072>, but Afreen has approved them. I'm going to run the dashboard tests again and hope that the failures are just a problem with Jenkins. |
2025-01-14T11:45:41.315Z | <Paulo Castro> It has to be that 'cause there are no dashboard specific changes in there. |
2025-01-14T11:45:54.690Z | <Paulo Castro> And the dashboard folks had already approved it. |
2025-01-14T11:46:07.425Z | <Zac Dover> That's what I figured. We're still waiting on the test to pass. |
2025-01-14T11:46:10.778Z | <Zac Dover> I'm keeping an eye on it. |
2025-01-14T12:37:31.780Z | <Zac Dover> @Paulo Castro, I will check on this PR in the morning (ten hours from now for me). I'm going to leave it open so that the people in #> can use <https://jenkins.ceph.com/job/ceph-dashboard-pull-requests/17217/ to diagnose the problem. I promise this will get merged. |
2025-01-14T15:08:20.857Z | <Casey Bodley> <https://docs.ceph.com/en/squid/radosgw/account/#tenant-isolation> documents the interaction between accounts and tenants. what are you trying to do that's not covered there? |
2025-01-14T15:10:20.971Z | <Casey Bodley> correct, i added some aws-managed policies because it was very easy. we're tracking support for customer-managed policy in <https://tracker.ceph.com/issues/69040> but it requires several new iam actions |
2025-01-14T15:23:00.982Z | <Casey Bodley> mainly because iam policy is evaluated differently for account users vs normal users. if an account user adds some policy and then removes itself from the account, rgw would stop enforcing the [cross-account policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html). that means the user's policy could grant them access to the resources of other users/accounts
also because [resource ownership](https://docs.ceph.com/en/squid/radosgw/account/#resource-ownership) is now handled by the account, the individual users don't carry much state except their access keys. so instead of supporting migration of users from one account to another, it's easy enough to just delete the user and recreate it in another account |
2025-01-14T17:49:17.685Z | <Yehuda Sadeh-Weinraub> @Casey Bodley for some reason the `radsogw-admin olh get` command fails (main branch from a couple of months ago). Seems like the librados op.getxattrs() returns a partial result. Is that a known issue? |
2025-01-14T17:51:57.036Z | <Casey Bodley> not known to me. does it always fail, or only once there are too many olh attrs? |
2025-01-14T17:52:21.536Z | <Yehuda Sadeh-Weinraub> it always fails to me. Returns EIO as it fails to decode the bufferllist |
2025-01-14T17:53:39.766Z | <Yehuda Sadeh-Weinraub> it gets the right xattrs, but the bl is not returned correctly |
2025-01-14T17:57:14.047Z | <Yehuda Sadeh-Weinraub> moving messages here: it gets the right xattrs, but the bl is not returned correctly |
2025-01-14T17:57:22.641Z | <Yehuda Sadeh-Weinraub> it always fails to me. Returns EIO as it fails to decode the bufferllist |
2025-01-14T18:05:51.442Z | <Yehuda Sadeh-Weinraub> oh, I found the issue. It's not that the bl is not returned correctly, we try to access the wrong xattr. That would never have worked |
2025-01-14T18:09:28.405Z | <Yu Kun> Thanks, Casey. Actually, I am a little bit confused by the concept of account. Does buckets created by different account can have same name? In another word, does all the resource created by different account are multi-tenants isolated by default? |
2025-01-14T18:11:31.728Z | <Casey Bodley> no, bucket namespace isolation is provided by tenant. like in aws, accounts share a bucket namespace by default |
2025-01-14T19:00:15.419Z | <Yehuda Sadeh-Weinraub> @Casey Bodley see <https://github.com/ceph/ceph/pull/61370> |
2025-01-14T22:56:32.695Z | <Yu Kun> Thanks, Casey. Further question, if an account is created under a tenant, should all the resource owned by this account automatically has same namespace? |