From: Krunal Chheda <kchheda3@bloomberg.net>
Date: Tue, 14 Apr 2026 15:18:29 +0000 (+0530)
Subject: qa/rgw: add PutACL backward compatibility test for account migration
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=933e4606c094e82dbf720f60ca50957fcc26e177;p=ceph.git

qa/rgw: add PutACL backward compatibility test for account migration

Test that put-bucket-acl and put-object-acl work both before and after
migrating a user to an account. After migration, the bucket/object ACL
owner is still the old user id, but the requester authenticates as the
account id.

Signed-off-by: Krunal Chheda <kchheda3@bloomberg.net>
---

diff --git a/qa/workunits/rgw/test_account_migration.sh b/qa/workunits/rgw/test_account_migration.sh
index c88dcd265408..39f2b87182b6 100755
--- a/qa/workunits/rgw/test_account_migration.sh
+++ b/qa/workunits/rgw/test_account_migration.sh
@@ -34,6 +34,10 @@ export AWS_SECRET_ACCESS_KEY=$(echo $userinfo | jq -r .keys[0].secret_key)
 aws s3 mb s3://testmigrate
 aws s3api put-object --bucket testmigrate --key obj
 
+# put bucket and object acls before migration
+aws s3api put-bucket-acl --bucket testmigrate --acl private
+aws s3api put-object-acl --bucket testmigrate --key obj --acl private
+
 # create an account and migrate the user as account root
 accountid=$(radosgw-admin account create | jq -r .id)
 radosgw-admin user modify --uid test-account-migration --account-root --account-id=$accountid
@@ -41,6 +45,14 @@ radosgw-admin user modify --uid test-account-migration --account-root --account-
 # verify the migrated user still has access
 aws s3api head-object --bucket testmigrate --key obj
 
+# verify get/put acl backward compatibility after migration.
+# the bucket/object acl owner is still the old user id, but the
+# requester now authenticates as the account id. both should work.
+aws s3api get-bucket-acl --bucket testmigrate
+aws s3api get-object-acl --bucket testmigrate --key obj
+aws s3api put-bucket-acl --bucket testmigrate --acl private
+aws s3api put-object-acl --bucket testmigrate --key obj --acl private
+
 # replace account-root flag with managed policy
 aws iam attach-user-policy --region us-east-1 --user-name MigratedUser \
 	--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess