rgw/pubsub: notifications can refer to topics in other accounts/tenants

accounts can use topic policy to grant sns:Publish permissions to other
accounts. the PutBucketNotification op should expect TopicArns from
other accounts. the account name from each TopicArn should be used as
the 'tenant' argument for RGWPubSub's constructor so we look for the
topic in the right namespace

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit a72975821fe36b411982346254a33771f97abb26)

diff --git a/src/rgw/rgw_rest_pubsub.cc b/src/rgw/rgw_rest_pubsub.cc
index b7926e9f7f33ea2d3efca1f3096e2401e3029074..eeba1a060ae5187ec36a882ab5afae1a34318301 100644 (file)
--- a/src/rgw/rgw_rest_pubsub.cc
+++ b/src/rgw/rgw_rest_pubsub.cc
@@ -1140,7 +1140,6 @@ int RGWPSCreateNotifOp::init_processing(optional_yield y)
     return ret;
   }
 
-  const RGWPubSub ps(driver, get_account_or_tenant(s->owner.id), *s->penv.site);
 
   for (const auto& c : configurations.list) {
     const auto& notif_name = c.id;
@@ -1171,6 +1170,7 @@ int RGWPSCreateNotifOp::init_processing(optional_yield y)
                                  std::forward_as_tuple());
     if (insert.second) {
       rgw_pubsub_topic& topic_info = insert.first->second;
+      const RGWPubSub ps(driver, arn->account, *s->penv.site);
       ret = ps.get_topic(this, topic_name, topic_info, y, nullptr);
       if (ret < 0) {
         ldpp_dout(this, 4) << "failed to get topic '" << topic_name << "', ret=" << ret << dendl;
@@ -1298,7 +1298,6 @@ void RGWPSCreateNotifOp::execute_v2(optional_yield y) {
         << s->bucket << ", ret = " << op_ret << dendl;
     return;
   }
-  const RGWPubSub ps(driver, get_account_or_tenant(s->owner.id), *s->penv.site);
   for (const auto& c : configurations.list) {
     const auto& notif_name = c.id;