On Wed, Jun 23, 2021 at 6:39 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote: > this looks like a bug, the topic should be created in the right tenant. >> please submit a tracker for that. >> > > Thank you for confirming. > Created here https://tracker.ceph.com/issues/51331 > > thanks > yes. topics are owned by the tenant. previously, they were owned by the >> user but since the same topic could be used among different buckets and >> different users, this was causing issues (was fixed here: >> https://github.com/ceph/ceph/pull/38136) >> (documentation also mentioned that in the intro paragraph of the doc: >> https://docs.ceph.com/en/latest/radosgw/notifications/) >> > > I think it's this section > ``` > A user can create different topics. A topic entity is defined by its name > and is per tenant. A user can only associate its topics (via notification > configuration) with buckets it owns. > ``` > > >> no permissions are needed to create a topic. however, note that without >> proper permissions on the bucket, you cannot create a notification that >> associates this topic with the bucket. >> > > Yes, I thought it would be similar to AWS, possibly not implemented/needed > so far: > > https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html > > https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html > > ``` > { "Statement": [{ "Effect": "Allow", "Action": ["sns:CreateTopic", > "sns:ListTopics", "sns:SetTopicAttributes", "sns:DeleteTopic"], "Resource": > "*" }] } > ``` > > Not having that sns:CreateTopic sns:DeleteTopic leaves room for abuse. > User could potentially create many topics, delete all topics from > tenant(s) maliciously or by accident (bugs) etc. > > "tenant" in the RGW is somewhat equivalent to an "account" in AWS. however, "tenant" does not have all the security aspects that an "account" has. adding that would be much wider in scope than the creation/deletion of topics. > On a deletion note, if I understand correctly, deletion of the topic > without deletion of all notifications first creates the situation where > notifications can no longer be deleted due to the topic missing. > The only option is to re-create the topic and delete notifications first. > according to what i tested, this is not the case. deletion of a topic only prevents the creation of new notifications with that topic. it does not effect the deletion of notifications with that topic, not the actual sending of these notifications. note that we also added a cascade delete process to delete all notifications of a bucket when a bucket is deleted. (it should be in pacific: https://github.com/ceph/ceph/pull/38351) > > Btw I enjoyed your FOSDEM presentation > https://fosdem.org/2021/schedule/event/sds_ceph_rgw_serverless/ > thank you! Any timeframe for native SQS coming to Ceph? > > no actual timelines... but it should probably land in the main branch later this year :-) > Regards > Daniel > > > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |