Bug #59083
closedRoles not synced across Multi-Site
0%
Description
It would appear as if roles are not synced between primary and secondary zonegroups. This means that a user on the master zone cannot create a role to access resources in the secondary zone.
Master zone:
```
[root@1fd2ea7006e4 /]# radosgw-admin sync status
realm da427d4e-ff66-4306-8a04-5c22e71a2443 (global)
zonegroup 20c1fbf8-5864-4bb8-94f1-a77114babd54 (uk)
zone f11d645c-9345-43ec-8176-8ab11f05029c (uk-west)
metadata sync no sync (zone is master)
[root@1fd2ea7006e4 /]# radosgw-admin role list
[
{
"RoleId": "e86de36a-912d-48f5-9b18-9bd7f8fca0e4",
"RoleName": "nautilus-development-user-1",
"Path": "/",
"Arn": "arn:aws:iam:::role/nautilus-development-user-1",
"CreateDate": "2023-03-15T17:00:45.726Z",
"MaxSessionDuration": 43200,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam:::user/nautilus\"}}]}"
},
{
"RoleId": "808a26c9-95e2-461b-b555-a13d34204027",
"RoleName": "nautilus-development-user-9",
"Path": "/",
"Arn": "arn:aws:iam:::role/nautilus-development-user-9",
"CreateDate": "2023-03-15T17:58:38.153Z",
"MaxSessionDuration": 43200,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam:::user/nautilus\"}}]}"
}
]
```
Secondary Zone:
```
[root@dfdb1b9a41ea /]# radosgw-admin sync status
realm da427d4e-ff66-4306-8a04-5c22e71a2443 (global)
zonegroup 09aef8d4-202d-4292-8a6c-97d18cfe4160 (na)
zone d474d2aa-e2de-4a28-9ee6-871900bb8ba6 (na-west)
metadata sync syncing
full sync: 0/64 shards
incremental sync: 64/64 shards
metadata is caught up with master
[root@dfdb1b9a41ea /]# radosgw-admin role list
[
{
"RoleId": "9f71d0c0-a872-4c74-985f-78ee72e46b26",
"RoleName": "nautilus-bucket-admin",
"Path": "/nautilus_admin_roles/",
"Arn": "arn:aws:iam:::role/nautilus_admin_roles/nautilus-bucket-admin",
"CreateDate": "2023-03-15T17:49:40.191Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/nautilus-dev\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
]
```
Updated by Casey Bodley about 1 year ago
- Is duplicate of Bug #51068: multisite: metadata sync does not sync STS metadata (e.g., roles, policy, ...) added
Updated by Casey Bodley about 1 year ago
- Status changed from New to Duplicate
the fix was recently backported for quincy and should be in the next point release