Project

General

Profile

Actions
Copy link

Bug #59083

closed

Roles not synced across Multi-Site

Added by Aidan Damerell about 1 year ago. Updated about 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

It would appear as if roles are not synced between primary and secondary zonegroups. This means that a user on the master zone cannot create a role to access resources in the secondary zone.

Master zone:
```
[root@1fd2ea7006e4 /]# radosgw-admin sync status
realm da427d4e-ff66-4306-8a04-5c22e71a2443 (global)
zonegroup 20c1fbf8-5864-4bb8-94f1-a77114babd54 (uk)
zone f11d645c-9345-43ec-8176-8ab11f05029c (uk-west)
metadata sync no sync (zone is master)

[root@1fd2ea7006e4 /]# radosgw-admin role list
[ {
"RoleId": "e86de36a-912d-48f5-9b18-9bd7f8fca0e4",
"RoleName": "nautilus-development-user-1",
"Path": "/",
"Arn": "arn:aws:iam:::role/nautilus-development-user-1",
"CreateDate": "2023-03-15T17:00:45.726Z",
"MaxSessionDuration": 43200,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam:::user/nautilus\"}}]}"
}, {
"RoleId": "808a26c9-95e2-461b-b555-a13d34204027",
"RoleName": "nautilus-development-user-9",
"Path": "/",
"Arn": "arn:aws:iam:::role/nautilus-development-user-9",
"CreateDate": "2023-03-15T17:58:38.153Z",
"MaxSessionDuration": 43200,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam:::user/nautilus\"}}]}"
}
]

```

Secondary Zone:

```
[root@dfdb1b9a41ea /]# radosgw-admin sync status
realm da427d4e-ff66-4306-8a04-5c22e71a2443 (global)
zonegroup 09aef8d4-202d-4292-8a6c-97d18cfe4160 (na)
zone d474d2aa-e2de-4a28-9ee6-871900bb8ba6 (na-west)
metadata sync syncing
full sync: 0/64 shards
incremental sync: 64/64 shards
metadata is caught up with master

[root@dfdb1b9a41ea /]# radosgw-admin role list
[ {
"RoleId": "9f71d0c0-a872-4c74-985f-78ee72e46b26",
"RoleName": "nautilus-bucket-admin",
"Path": "/nautilus_admin_roles/",
"Arn": "arn:aws:iam:::role/nautilus_admin_roles/nautilus-bucket-admin",
"CreateDate": "2023-03-15T17:49:40.191Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/nautilus-dev\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
]
```

Related issues 1 (1 open0 closed)

Is duplicate of rgw - Bug #51068: multisite: metadata sync does not sync STS metadata (e.g., roles, policy, ...)Pending BackportPritha Srivastava

Actions
Actions
Copy link
 #1

Updated by Casey Bodley about 1 year ago

  • Is duplicate of Bug #51068: multisite: metadata sync does not sync STS metadata (e.g., roles, policy, ...) added
Actions
Copy link
 #2

Updated by Casey Bodley about 1 year ago

  • Status changed from New to Duplicate

the fix was recently backported for quincy and should be in the next point release

Actions
Copy link

Also available in: Atom PDF