From: Matt Benjamin <mbenjamin@redhat.com>
Date: Thu, 25 Feb 2021 22:39:08 +0000 (-0500)
Subject: rgw: objectlock: improve client error messages
X-Git-Tag: v15.2.13~10^2~25^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=81cb385d403c6fd1beeb9c5a33b96937023c32b4;p=ceph.git

rgw: objectlock: improve client error messages

A bucket object lock configuration can only be set on buckets
created with the object-lock option enabled.  Likewise, on
object lock or object retention hold can only be set on objects
in buckets with object lock enabled.  Object lock and related
policy and policy violations are also potentially confusing
to client users.

Raise the debug level to 4, but add a human-readable client error
message, when object lock constraints are violated.

Fixes: https://tracker.ceph.com/issues/49541

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
(cherry picked from commit 7583374e5294b1c1c16068999123fef98827e9dc)

Conflicts:
	src/rgw/rgw_op.cc
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index fca7deb11896..48247809d358 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -955,7 +955,6 @@ int retry_raced_bucket_write(RGWRados* g, req_state* s, const F& f) {
 }
 }
 
-
 int RGWGetObj::verify_permission()
 {
   obj = rgw_obj(s->bucket, s->object);
@@ -2669,6 +2668,8 @@ void RGWSetBucketVersioning::execute()
     return;
 
   if (s->bucket_info.obj_lock_enabled() && versioning_status != VersioningEnabled) {
+    s->err.message = "bucket versioning cannot be disabled on buckets with object lock enabled";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_BUCKET_STATE;
     return;
   }
@@ -7825,7 +7826,8 @@ int RGWPutBucketObjectLock::verify_permission()
 void RGWPutBucketObjectLock::execute()
 {
   if (!s->bucket_info.obj_lock_enabled()) {
-    ldpp_dout(this, 0) << "ERROR: object Lock configuration cannot be enabled on existing buckets" << dendl;
+    s->err.message = "object lock configuration can't be set if bucket object lock not enabled";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_BUCKET_STATE;
     return;
   }
@@ -7853,7 +7855,8 @@ void RGWPutBucketObjectLock::execute()
     return;
   }
   if (obj_lock.has_rule() && !obj_lock.retention_period_valid()) {
-    ldpp_dout(this, 0) << "ERROR: retention period must be a positive integer value" << dendl;
+    s->err.message = "retention period must be a positive integer value";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_RETENTION_PERIOD;
     return;
   }
@@ -7916,7 +7919,8 @@ void RGWPutObjRetention::pre_exec()
 void RGWPutObjRetention::execute()
 {
   if (!s->bucket_info.obj_lock_enabled()) {
-    ldpp_dout(this, 0) << "ERROR: object retention can't be set if bucket object lock not configured" << dendl;
+    s->err.message = "object retention can't be set if bucket object lock not configured";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_REQUEST;
     return;
   }
@@ -7942,7 +7946,8 @@ void RGWPutObjRetention::execute()
   }
 
   if (ceph::real_clock::to_time_t(obj_retention.get_retain_until_date()) < ceph_clock_now()) {
-    ldpp_dout(this, 0) << "ERROR: the retain until date must be in the future" << dendl;
+    s->err.message = "the retain-until date must be in the future";
+    ldpp_dout(this, 0) << "ERROR: " << s->err.message << dendl;
     op_ret = -EINVAL;
     return;
   }
@@ -7969,6 +7974,7 @@ void RGWPutObjRetention::execute()
     }
     if (ceph::real_clock::to_time_t(obj_retention.get_retain_until_date()) < ceph::real_clock::to_time_t(old_obj_retention.get_retain_until_date())) {
       if (old_obj_retention.get_mode().compare("GOVERNANCE") != 0 || !bypass_perm || !bypass_governance_mode) {
+	s->err.message = "proposed retain-until date shortens an existing retention period and governance bypass check failed";
         op_ret = -EACCES;
         return;
       }
@@ -7996,7 +8002,8 @@ void RGWGetObjRetention::pre_exec()
 void RGWGetObjRetention::execute()
 {
   if (!s->bucket_info.obj_lock_enabled()) {
-    ldpp_dout(this, 0) << "ERROR: bucket object lock not configured" << dendl;
+    s->err.message = "bucket object lock not configured";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_REQUEST;
     return;
   }
@@ -8040,7 +8047,8 @@ void RGWPutObjLegalHold::pre_exec()
 
 void RGWPutObjLegalHold::execute() {
   if (!s->bucket_info.obj_lock_enabled()) {
-    ldpp_dout(this, 0) << "ERROR: object legal hold can't be set if bucket object lock not configured" << dendl;
+    s->err.message = "object legal hold can't be set if bucket object lock not enabled";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_REQUEST;
     return;
   }
@@ -8092,7 +8100,8 @@ void RGWGetObjLegalHold::pre_exec()
 void RGWGetObjLegalHold::execute()
 {
   if (!s->bucket_info.obj_lock_enabled()) {
-    ldpp_dout(this, 0) << "ERROR: bucket object lock not configured" << dendl;
+    s->err.message = "bucket object lock not configured";
+    ldpp_dout(this, 4) << "ERROR: " << s->err.message << dendl;
     op_ret = -ERR_INVALID_REQUEST;
     return;
   }
@@ -8126,7 +8135,6 @@ void RGWGetClusterStat::execute()
   op_ret = this->store->getRados()->get_rados_handle()->cluster_stat(stats_op);
 }
 
-
 int RGWGetBucketPolicyStatus::verify_permission()
 {
   if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketPolicyStatus)) {