Bug #45911
openCannot address buckets in different tenant
0%
Description
Using release 15.2.2 on CentOS 8.1
At: https://docs.ceph.com/docs/mimic/radosgw/multitenancy/
There is a suggestion on some code that to address s3 buckets in a different tenant (your AWS creds are for a user in tenant t1, but the bucket you want to address is in tenant t2) you should use a ':' to separate the two, i.e. tenant2:bucketname.
This does not work. UJisng the AWS CLI (boto3), when doing
aws s3 ls s3://tenant2:bucketname
I get an error:
Invalid bucket name "tenant2:bucketname": Bucket name must match the regex "^[a-zA-Z0-9.\-_]{1,255}$" or be an ARN matching the regex "^arn:(aws).*:s3:[a-z\-0-9]+:[0-9]{12}:accesspoint[/:][a-zA-Z0-9\-]{1,63}$"
(Again this is CentOS 8.1):
In /usr/share/awscli/python/site-packages/botocore/handlers.py, there is a line:
VALID_BUCKET = re.compile(r'^[a-zA-Z0-9.\-_]{1,255}$')
If I change this regex appropriately to include a ':', then I can address the bucket with both the awscli as well as with boto3 code directly.
It should be noted that in the document I mentioned above, the code shown is boto code, NOT boto3. Apparently with boto as opposed to boto3 there is not a problem.
Without patching the regex as I show, there does not appear to be a way to address buckets in other tenants using python boto3 code which includes the awscli.
AWS and the Ceph team need to coordinate a proper fix