-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLDSRV-584 Limit backbeat API versioning check to replication operations #5707
base: development/7.10
Are you sure you want to change the base?
Conversation
Hello nicolas2bert,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
Branches have divergedThis pull request's source branch To avoid any integration risks, please re-synchronize them using one of the
Note: If you choose to rebase, you may have to ask me to rebuild |
Branches have divergedThis pull request's source branch To avoid any integration risks, please re-synchronize them using one of the
Note: If you choose to rebase, you may have to ask me to rebuild |
130300a
to
87a5fbf
Compare
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
@bert-e reset |
Reset completeI have successfully deleted this pull request's integration branches. |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
ping |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command:
Alternatively, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
lib/routes/routeBackbeat.js
Outdated
// The following makes sure that only replication destination-related operations (non-GET requests) | ||
// target buckets with versioning enabled. | ||
// This allows lifecycle operations (which use GET requests) to work on non-versioned buckets. | ||
if (request.method !== 'GET' && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lifecycle does not only perform GET
operations : it also deletes objects (expiration), deletes data associated with objects (transition and restored-object-expiration), and puts metadata of objects...
so i fear such broad filtering in the router may introduce other issues.
→ Is there a way instead to identify the few "actions" performed by CRR replication (e.g. putObjectVersion, putObjectMetadata), maybe with some additional condition on the parameters/fields, to confirm? Then the check cna be performed direclty in each of these action handlers.
→ Otherwise, may be better to "isolate" the calls with specific CRR/lifecycle routes, or maybe simply add an extra parameter to enforce the check (IfVersioned
maybe ?)
→ Alternatively, instead of making it a "core" feature in the code, could it be achieve through policies? e.g. the replication user will not have permissions to write to non-versioned bucket? (need to check if this is a kind of policy we support or even can define, but would be an elegant and simple solution I think)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- S3C Lifecycle expiration (transition is not supported yet) only uses backbeat client GET operation:
getMetadata
. Delete object/version is done by the S3 client itself that uses the s3 route.
Is there a way instead to identify the few "actions" performed by CRR replication (e.g. putObjectVersion, putObjectMetadata)
-
Replication uses
putData
,putMetadata
andbatchDelete
's backebatAPI routes. Limiting the versioning check to those actions makes sense and is more explicit. HoweverputMetadata
is also used by lifecycle transition so it will not solve the lifecycle transition future implementation. -
This PR is a fix, so I am not comfortable introducing new CRR/lifeycle routes for it. But it will be needed once we introduce lifecycle transition in S3C.
the replication user will not have permissions to write to non-versioned bucket?
- I thought about it, but it does not exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
batchDelete
route is used for lifecycle as well.
This PR is a fix, so I am not comfortable introducing new CRR/lifeycle routes for it. But it will be needed once we introduce lifecycle transition in S3C.
Fine with me ; however the code will waterflow and in the not-so-long future we should converge Cloudserver: so whatever you change will break lifecycle in Zenko.
So I'd rather make the check conditional anyway, and let the "caller" decide if the bucket must be versionned: e..g. simply add an extra parameter to enforce the check (IfVersioned
maybe ?) : then backbeat can be updated to required versioning if and if required, without introducing backbeat logic/constraints in cloudserver.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I am aligned with it.
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
87a5fbf
to
b5160b9
Compare
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
lib/routes/routeBackbeat.js
Outdated
// The following makes sure that only replication destination-related operations | ||
// target buckets with versioning enabled. | ||
// This allows lifecycle expiration operations (getMetadata) to work on non-versioned buckets. | ||
const isCRRDestinationRequest = request.method === 'PUT' && | ||
(request.resourceType === 'data' || request.resourceType === 'metadata'); | ||
if (isCRRDestinationRequest && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To reduce coupling, I'd rather make this generic and let the caller (i.e. backbeat, who has full context!) specify if versioning is required, without introducing replication-related logic (which could actually change!) here.
something like:
// The following makes sure that only replication destination-related operations | |
// target buckets with versioning enabled. | |
// This allows lifecycle expiration operations (getMetadata) to work on non-versioned buckets. | |
const isCRRDestinationRequest = request.method === 'PUT' && | |
(request.resourceType === 'data' || request.resourceType === 'metadata'); | |
if (isCRRDestinationRequest && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { | |
if (request.headers['x-scal-if-versionning-enabled'] && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
887d250
to
b3f446a
Compare
lib/routes/routeBackbeat.js
Outdated
if (!versioningConfig || versioningConfig.Status !== 'Enabled') { | ||
// The following makes sure that only replication destination-related operations | ||
// target buckets with versioning enabled. | ||
const isVersioningEnabled = request.headers['x-scal-versioning-enabled'] === 'true'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: isVersioningEnabled
should be something like checkVersioningEnabled
similarly, i wonder if the header should be renamed to something more explicit, like x-scal-versioning-required
or x-scal-if-versioning-enabled
?
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
@@ -1513,13 +1514,16 @@ describeSkipIfAWS('backbeat routes', () => { | |||
done(); | |||
})); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should add tests to verify versioning is not checked when x-scal-versioning-enabled
is not defined or false.
("should not refuse PUT data when bucket is not versioned if x-scal-versioning-enabled is not set")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just some small cleanup.
In addition, I wonder if we should be more strict and fail the request if this header is passed to other routes (which do not support it) ?
b3f446a
to
0ec3584
Compare
@bert-e approve |
ConflictA conflict has been raised during the creation of I have not created the integration branch. Here are the steps to resolve this conflict: $ git fetch
$ git checkout -B w/8.8/bugfix/CLDSRV-584/backbeat-api origin/development/8.8
$ git merge origin/w/7.70/bugfix/CLDSRV-584/backbeat-api
$ # <intense conflict resolution>
$ git commit
$ git push -u origin w/8.8/bugfix/CLDSRV-584/backbeat-api The following options are set: approve |
0ec3584
to
b762233
Compare
History mismatchMerge commit #0ec3584cbe3dd3ed61cc0f305ec4d6704b72b177 on the integration branch It is likely due to a rebase of the branch Please use the The following options are set: approve |
Context: In Artesca, when creating a location (whether used for replication or not), you specify both the endpoint and the bucket name where data will be stored. At this stage, Zenko checks that the bucket has versioning enabled. In S3C, it is a bit different, a “replication location” consists of a list of S3C endpoints (replicationEndpoints), and the destination bucket is specified later in the API replication rule (with put-bucket-replication API). Currently, S3C does not check if the destination bucket has versioning enabled. This means data could be replicated from a versioned source bucket to a non-versioned or suspended destination bucket, which can cause issues. e.g. https://scality.atlassian.net/browse/S3C-821 Current solution: A validation step was added to the Backbeat API in cloudserver. This check rejects any requests made to buckets that either do not have versioning enabled or have versioning suspended. This check makes sure the Backbeat API only works with buckets that have versioning enabled. This prevents operations on destination buckets where versioning is disabled or suspended, hense maintaining proper version control. On the source, we should be fine. Cloudserver prevents setting up replication on a bucket if its versioning is disabled or suspended, and it prevents changing a bucket’s versioning to suspended while replication is ongoing. Issue: The Backbeat API is also used for lifecycle, which works on both versioned and non-versioned buckets. The current versioning check affects the lifecycle operations, which should be allowed on non-versioned buckets. Proposed solution: Modify the Backbeat API to apply the bucket versioning check only to actions related to the replication destination buckets (such as PUT, POST, and DELETE requests). Implement a new client header x-scal-versioning-required in the Backbeat client to make sure that replication targets only versioned buckets. When this header is set, Cloudserver will make sure that the destination bucket has versioning enabled, preventing replication to non-versioned buckets. This change will ensure that replication only targets versioned buckets and allows lifecycle operations on non-versioned buckets.
b762233
to
1bd502a
Compare
Context:
In Artesca, when creating a location (whether used for replication or not), you specify both the endpoint and the bucket name where data will be stored. At this stage, Zenko checks that the bucket has versioning enabled.
In S3C, it is a bit different, a “replication location” consists of a list of S3C endpoints (replicationEndpoints), and the destination bucket is specified later in the API replication rule (with put-bucket-replication API). Currently, S3C does not check if the destination bucket has versioning enabled. This means data could be replicated from a versioned source bucket to a non-versioned or suspended destination bucket, which can cause issues. e.g. https://scality.atlassian.net/browse/S3C-821
Current solution:
A validation step was added to the Backbeat API in cloudserver. This check rejects any requests made to buckets that either do not have versioning enabled or have versioning suspended. This check makes sure the Backbeat API only works with buckets that have versioning enabled. This prevents operations on destination buckets where versioning is disabled or suspended, hense maintaining proper version control.
On the source, we should be fine. Cloudserver prevents setting up replication on a bucket if its versioning is disabled or suspended, and it prevents changing a bucket’s versioning to suspended while replication is ongoing.
Issue:
The Backbeat API is also used for lifecycle, which works on both versioned and non-versioned buckets. The current versioning check affects the lifecycle operations, which should be allowed on non-versioned buckets.
Proposed solution:
Modify the Backbeat API to apply the bucket versioning check only to actions related to the replication destination buckets (such as PUT, POST, and DELETE requests).
Implement a new client header x-scal-versioning-required in the Backbeat client to make sure that replication targets only versioned buckets. When this header is set, Cloudserver will make sure that the destination bucket has versioning enabled, preventing replication to non-versioned buckets.
This change will ensure that replication only targets versioned buckets and allows lifecycle operations on non-versioned buckets.