Bug #45911
openCannot address buckets in different tenant
0%
Description
Using release 15.2.2 on CentOS 8.1
At: https://docs.ceph.com/docs/mimic/radosgw/multitenancy/
There is a suggestion on some code that to address s3 buckets in a different tenant (your AWS creds are for a user in tenant t1, but the bucket you want to address is in tenant t2) you should use a ':' to separate the two, i.e. tenant2:bucketname.
This does not work. UJisng the AWS CLI (boto3), when doing
aws s3 ls s3://tenant2:bucketname
I get an error:
Invalid bucket name "tenant2:bucketname": Bucket name must match the regex "^[a-zA-Z0-9.\-_]{1,255}$" or be an ARN matching the regex "^arn:(aws).*:s3:[a-z\-0-9]+:[0-9]{12}:accesspoint[/:][a-zA-Z0-9\-]{1,63}$"
(Again this is CentOS 8.1):
In /usr/share/awscli/python/site-packages/botocore/handlers.py, there is a line:
VALID_BUCKET = re.compile(r'^[a-zA-Z0-9.\-_]{1,255}$')
If I change this regex appropriately to include a ':', then I can address the bucket with both the awscli as well as with boto3 code directly.
It should be noted that in the document I mentioned above, the code shown is boto code, NOT boto3. Apparently with boto as opposed to boto3 there is not a problem.
Without patching the regex as I show, there does not appear to be a way to address buckets in other tenants using python boto3 code which includes the awscli.
AWS and the Ceph team need to coordinate a proper fix
Updated by Matt Benjamin almost 4 years ago
- Status changed from New to Triaged
Hi Chris,
This is a known issue, but as it's entirely in boto, we're not sure right now how to proceed. We've filed issues against upstream boto.
Matt
Updated by Pritha Srivastava almost 4 years ago
Hi Chris,
Bucket name validation can be supressed in boto3 using the following also:
s3client.meta.events.unregister('before-parameter-build.s3', validate_bucket_name)
Thanks,
Pritha
Updated by Chris Durham almost 4 years ago
Pritha Srivastava wrote:
Hi Chris,
Bucket name validation can be supressed in boto3 using the following also:
s3client.meta.events.unregister('before-parameter-build.s3', validate_bucket_name)
Thanks,
Pritha
That's great for boto3 code, but as far as I know, there is no config or environment variable I can use to do that for the cli without making the change I showed above, correct?
Updated by Casey Bodley almost 4 years ago
Using : to separate bucket and tenant is just broken by design since it doesn't work with dns names.