Ceph » rgw

when user of one tenenat tries to access notifications of another tenant, the bucket is not found.
test instructions: https://gist.github.com/yuvalif/60063dc67d981b387b382ff0f7f88d91

client error:

botocore.errorfactory.NoSuchKey: An error occurred (NoSuchKey) when calling the GetBucketNotificationConfiguration operation: None

rgw error:

2023-09-10T13:30:31.156+0000 7f28e634f700  1 req 6764337713108432899 0.001000000s s3:pubsub_notifications_get_s3 failed to get bucket 'fish' info, ret = -2
2023-09-10T13:30:31.156+0000 7f28e634f700  2 req 6764337713108432899 0.001000000s s3:pubsub_notifications_get_s3 completing
2023-09-10T13:30:31.156+0000 7f28e634f700 10 req 6764337713108432899 0.001000000s cache get: name=default.rgw.log++script.postrequest.boom : hit (negative entry)
2023-09-10T13:30:31.156+0000 7f28e634f700  2 req 6764337713108432899 0.001000000s s3:pubsub_notifications_get_s3 op status=-2
2023-09-10T13:30:31.156+0000 7f28e634f700  2 req 6764337713108432899 0.001000000s s3:pubsub_notifications_get_s3 http status=404
2023-09-10T13:30:31.156+0000 7f28e634f700  1 ====== req done req=0x7f2893aa9710 op status=-2 http_status=404 latency=0.001000000s ======
2023-09-10T13:30:31.156+0000 7f28e634f700  1 beast: 0x7f2893aa9710: ::1 - world$hello [10/Sep/2023:13:30:31.155 +0000] "GET /boom%3Afish?notification HTTP/1.1" 404 230 - "Boto3/1.23.10 Python/3.6.8 Linux/4.18.0-477.21.1.el8_8.x86_64 Botoc
ore/1.26.10" - latency=0.001000000s

note that when verifying bucket policy, the resource name for the bucket is constructed correctly (with the tenant "boom"):

2023-09-10T13:30:31.156+0000 7f28e634f700 16 req 6764337713108432899 0.001000000s s3:pubsub_notifications_get_s3 verify_bucket_permission: policy: { Version: 2012-10-17, Statements: [ { Sid: Statement, Principal: { * }, Effect: Allow, Act
ion: [ s3:GetBucketNotification, s3:PutBucketNotification ], Resource: [ arn:aws:s3::boom:fish ] } ],  }resource: arn:aws:s3::boom:fish