On Wed, Jun 23, 2021 at 2:21 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote:
> Hi
>
> I'm using Ceph Pacific 16.2.1
>
> I'm creating a topic as a user which belongs to a non-default tenant.
> I'm using AWS CLI 2 with v3 authentication enabled
>
> aws --profile=ceph-myprofile --endpoint=$HOST_S3_API --region="" sns
> create-topic --name=fishtopic --attributes='{"push-endpoint": "
> http://my-ceph-source-svc.default.svc.cluster.local"}'
> {
> "TopicArn": "arn:aws:sns:default::fishtopic"
> }
>
> topic is created in default tenant though.
> User can list topics but see topics from the default tenant.
>
> aws --profile=ceph-myprofile --endpoint=$HOST_S3_API --region="" sns
> list-topics
> {
> "Topics": [
> {
> "TopicArn": "arn:aws:sns:default::fishtopic"
> }
> ]
> }
>
> Topic is in default tenant
>
> # radosgw-admin topic list --uid none
> {
> "topics": [
> {
> "topic": {
> "user": "",
> "name": "fishtopic",
> "dest": {
> "bucket_name": "",
> "oid_prefix": "",
> "push_endpoint": "
> http://my-ceph-source-svc.default.svc.cluster.local";,
> "push_endpoint_args":
> "Attributes.entry.1.key=push-endpoint&Attributes.entry.1.value=
> http://my-ceph-source-svc.default.svc.cluster.local
> &Version=2010-03-31&push-endpoint=
> http://my-ceph-source-svc.default.svc.cluster.local";,
> "push_endpoint_topic": "fishtopic",
> "stored_secret": "false",
> "persistent": "false"
> },
> "arn": "arn:aws:sns:default::fishtopic",
> "opaqueData": ""
> },
> "subs": []
> }
> ]
> }
>
>
this looks like a bug, the topic should be created in the right tenant.
please submit a tracker for that.
> When I create a topic over HTTP with a federated user, the topic is created
> in the correct (user's) tenant.
> For some reason the "user" below is "marvel", which is actually the name of
> the tenant.
> Possibly the topic is not owned by the user but rather the tenant.
>
>
yes. topics are owned by the tenant. previously, they were owned by the
user but since the same topic could be used among different buckets and
different users, this was causing issues (was fixed here:
https://github.com/ceph/ceph/pull/38136)
(documentation also mentioned that in the intro paragraph of the doc:
https://docs.ceph.com/en/latest/radosgw/notifications/)
for compatibility reasons, the name in the JSON structure still says "user"
:-(
> radosgw-admin topic list --tenant marvel --uid none
> {
> "topics": [
> {
> "topic": {
> "user": "marvel",
> "name": "MyTopic",
> "dest": {
> "bucket_name": "",
> "oid_prefix": "",
> "push_endpoint": "amqp://127.0.0.1",
> "push_endpoint_args":
> "amqp-exchange=rgw-exchange&push-endpoint=amqp://127.0.0.1
> &use-ssl=false&verify-ssl=false",
> "push_endpoint_topic": "MyTopic",
> "stored_secret": "false",
> "persistent": "false"
> },
> "arn": "arn:aws:sns:default:marvel:MyTopic",
> "opaqueData": ""
> },
> "subs": []
> }
> ]
> }
>
> Also, what permissions are checked when creating a topic?
> It seems so far I can create a topic without granting any special
> permissions?
>
> no permissions are needed to create a topic. however, note that without
proper permissions on the bucket, you cannot create a notification that
associates this topic with the bucket.
> Regards
> Daniel
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
