From: Yuval Lifshitz Date: Mon, 31 Mar 2025 18:15:06 +0000 (+0000) Subject: rgw/logging: test bucket logging with accounts X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=899afe1613fb0b4e229896547623e9b64db0c07e;p=s3-tests.git rgw/logging: test bucket logging with accounts Signed-off-by: Yuval Lifshitz --- diff --git a/s3tests_boto3/functional/__init__.py b/s3tests_boto3/functional/__init__.py index 08f884be..752080f2 100644 --- a/s3tests_boto3/functional/__init__.py +++ b/s3tests_boto3/functional/__init__.py @@ -466,6 +466,18 @@ def get_iam_s3client(**kwargs): **kwargs) return client +def get_iam_root_s3client(**kwargs): + kwargs.setdefault('aws_access_key_id', config.iam_root_access_key) + kwargs.setdefault('aws_secret_access_key', config.iam_root_secret_key) + kwargs.setdefault('config', Config(signature_version='s3v4')) + + client = boto3.client(service_name='s3', + endpoint_url=config.default_endpoint, + use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, + **kwargs) + return client + def get_iam_root_client(**kwargs): kwargs.setdefault('service_name', 'iam') kwargs.setdefault('region_name', '') diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 870baf3e..4f6351e7 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -68,6 +68,7 @@ from . import ( get_alt_email, get_alt_client, get_iam_root_client, + get_iam_root_s3client, get_tenant_client, get_v2_tenant_client, get_tenant_iam_client, @@ -15299,7 +15300,7 @@ def test_bucket_logging_permission_change_j(): _bucket_logging_permission_change('Journal') -def _bucket_logging_tenant_objects(src_client, src_bucket_name, log_client, log_bucket_name, log_type, op_name): +def _bucket_logging_objects(src_client, src_bucket_name, log_client, log_bucket_name, log_type, op_name): num_keys = 5 for j in range(num_keys): name = 'myobject'+str(j) @@ -15341,7 +15342,7 @@ def _put_bucket_logging_tenant(log_type): 'LoggingEnabled': logging_enabled, }) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - _bucket_logging_tenant_objects(client, src_bucket_name, tenant_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + _bucket_logging_objects(client, src_bucket_name, tenant_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') # src is on default tenant and log is on a different tenant with the same name src_bucket_name = get_new_bucket_name() @@ -15359,7 +15360,7 @@ def _put_bucket_logging_tenant(log_type): 'LoggingEnabled': logging_enabled, }) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - _bucket_logging_tenant_objects(client, src_bucket_name, tenant_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + _bucket_logging_objects(client, src_bucket_name, tenant_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') try: @@ -15399,7 +15400,7 @@ def _put_bucket_logging_tenant(log_type): 'LoggingEnabled': logging_enabled, }) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - _bucket_logging_tenant_objects(client, src_bucket_name, client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + _bucket_logging_objects(client, src_bucket_name, client, log_bucket_name, log_type, 'REST.PUT.OBJECT') # src and log are on the same tenant # log bucket name is set without tenant @@ -15417,7 +15418,7 @@ def _put_bucket_logging_tenant(log_type): 'LoggingEnabled': logging_enabled, }) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - _bucket_logging_tenant_objects(client, src_bucket_name, client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + _bucket_logging_objects(client, src_bucket_name, client, log_bucket_name, log_type, 'REST.PUT.OBJECT') # src is on tenant and log is on the default tenant # log bucket name is set with explicit default tenant @@ -15435,7 +15436,7 @@ def _put_bucket_logging_tenant(log_type): 'LoggingEnabled': logging_enabled, }) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - _bucket_logging_tenant_objects(client, src_bucket_name, log_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + _bucket_logging_objects(client, src_bucket_name, log_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') try: # src is on tenant and log is on the default tenant @@ -15472,6 +15473,77 @@ def test_put_bucket_logging_tenant_j(): _put_bucket_logging_tenant('Journal') +def _put_bucket_logging_account(log_type): + # src is default user and log is in an account user + src_bucket_name = get_new_bucket_name() + src_bucket = get_new_bucket_resource(name=src_bucket_name) + log_bucket_name = get_new_bucket_name() + log_client = get_iam_root_s3client() + log_bucket = get_new_bucket(client=log_client, name=log_bucket_name) + client = get_client() + prefix = 'log/' + _set_log_bucket_policy_tenant(log_client, "", log_bucket_name, "", get_main_user_id(), [src_bucket_name], [prefix]) + logging_enabled = {'TargetBucket': log_bucket_name, 'TargetPrefix': prefix} + if log_type == 'Journal': + logging_enabled['LoggingType'] = 'Journal' + response = client.put_bucket_logging(Bucket=src_bucket_name, BucketLoggingStatus={ + 'LoggingEnabled': logging_enabled, + }) + assert response['ResponseMetadata']['HTTPStatusCode'] == 200 + _bucket_logging_objects(client, src_bucket_name, log_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + + # src and log are in an iam account + client = get_iam_root_s3client() + iam_client = get_iam_root_client() + iam_user = iam_client.get_user()['User']['Arn'].split(':')[-2] # Get the IAM user name from ARN + src_bucket_name = get_new_bucket_name() + src_bucket = get_new_bucket(client=client, name=src_bucket_name) + log_bucket_name = get_new_bucket_name() + log_bucket = get_new_bucket(client=client, name=log_bucket_name) + _set_log_bucket_policy_tenant(client, "", log_bucket_name, "", iam_user, [src_bucket_name], [prefix]) + logging_enabled = {'TargetBucket': log_bucket_name, 'TargetPrefix': prefix} + if log_type == 'Journal': + logging_enabled['LoggingType'] = 'Journal' + response = client.put_bucket_logging(Bucket=src_bucket_name, BucketLoggingStatus={ + 'LoggingEnabled': logging_enabled, + }) + assert response['ResponseMetadata']['HTTPStatusCode'] == 200 + _bucket_logging_objects(client, src_bucket_name, client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + + # src is in an iam account and log is the default user + client = get_iam_root_s3client() + iam_client = get_iam_root_client() + iam_user = iam_client.get_user()['User']['Arn'].split(':')[-2] # Get the IAM user name from ARN + src_bucket_name = get_new_bucket_name() + src_bucket = get_new_bucket(client=client, name=src_bucket_name) + log_client = get_client() + log_bucket_name = get_new_bucket_name() + log_bucket = get_new_bucket(client=log_client, name=log_bucket_name) + _set_log_bucket_policy_tenant(log_client, "", log_bucket_name, "", iam_user, [src_bucket_name], [prefix]) + logging_enabled = {'TargetBucket': log_bucket_name, 'TargetPrefix': 'log/'} + if log_type == 'Journal': + logging_enabled['LoggingType'] = 'Journal' + response = client.put_bucket_logging(Bucket=src_bucket_name, BucketLoggingStatus={ + 'LoggingEnabled': logging_enabled, + }) + assert response['ResponseMetadata']['HTTPStatusCode'] == 200 + _bucket_logging_objects(client, src_bucket_name, log_client, log_bucket_name, log_type, 'REST.PUT.OBJECT') + + +@pytest.mark.bucket_logging +@pytest.mark.fails_on_aws +def test_put_bucket_logging_account_s(): + _put_bucket_logging_account('Standard') + + +@pytest.mark.bucket_logging +@pytest.mark.fails_on_aws +def test_put_bucket_logging_account_j(): + if not _has_bucket_logging_extension(): + pytest.skip('ceph extension to bucket logging not supported at client') + _put_bucket_logging_account('Journal') + + @pytest.mark.bucket_logging def test_rm_bucket_logging(): src_bucket_name = get_new_bucket_name()