Project

General

Profile

Bug #22984

RGWs crash when I try to set a policy

Added by David González Ruiz over 1 year ago. Updated over 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
02/12/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

I am trying to set a policy to a bucket in order to have users that can only read (for debugging purposes). I do it in the following way:

s3cmd --host=ceph-rgw setpolicy policy s3://bucket

The policy is:

{
    "Version": "2012-10-17",
    "Id": "01",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "d.ruiz" 
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket" 
            ],
            "Resource": [
                "arn:aws:s3:::bucket/*",
            ]
        }
    ]
}

At the moment I run the setpolicy command, the gateway crashes and logs the following error:

2018-02-12 13:40:43.979192 I | rgw: radosgw: /usr/include/boost/optional/optional.hpp:878: boost::optional<T>::pointer_type boost::optional<T>::operator->() [with T = rgw::IAM::ARN; boost::optional<T>::pointer_type = rgw::IAM::ARN*]: Assertion `this->is_initialized()' failed.
failed to run rgw. failed to start rgw: Failed to complete rgw: signal: aborted (core dumped)

This makes the service unavailable for some seconds until the service is restarted. Can anybody provide insights on this? I am running:

ceph version af31b0aa0 (5af31b0aa028c6a69306c890f8d91fb9463a28f7) luminous (stable)

Thank you!

History

#1 Updated by David González Ruiz over 1 year ago

The way AWS identifier is specified does not seem to be the source of issues; switching to this notation does not work either:

            "Principal": {"AWS": ["arn:aws:iam::d.ruiz"]},

The uid does exist.

#2 Updated by David González Ruiz over 1 year ago

It seems that using the following user arn made the setpolicy operation work, but the policy is still not functional.

arn:aws:iam::${RGW DNS SETTING HERE}:user/d.ruiz

#3 Updated by Matt Benjamin over 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Adam Emerson

@adam, could you have a look at this?

Matt

#4 Updated by Adam Emerson over 1 year ago

Could you try against master or upstream luminous? I believe this bug is fixed in both and simply hadn't percolated its way into the last stable luminous release yet.

(We have another luminous coming out soon so the fix should be in that.)

#5 Updated by Adam Emerson over 1 year ago

It shouldn't be an RGW DNS setting. The thing to put there should be the tenant name, or nothing if you're using the default tenant.

#6 Updated by Adam Emerson over 1 year ago

  • Status changed from In Progress to Duplicate

Also available in: Atom PDF