CLDSRV-584 Limit backbeat API versioning check to replication operations #5707
Conversation
Hello nicolas2bert,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
nicolas2bert
changed the base branch from
development/8.8
to
development/7.70
Branches have divergedThis pull request's source branch To avoid any integration risks, please re-synchronize them using one of the
Note: If you choose to rebase, you may have to ask me to rebuild |
Branches have divergedThis pull request's source branch To avoid any integration risks, please re-synchronize them using one of the
Note: If you choose to rebase, you may have to ask me to rebuild |
nicolas2bert
force-pushed
the
bugfix/CLDSRV-584/backbeat-api
branch
from
130300a to
87a5fbf
Compare
nicolas2bert
changed the base branch from
development/7.70
to
development/7.10
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
|
@bert-e reset |
Reset completeI have successfully deleted this pull request's integration branches. |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
|
ping |
Request integration branchesWaiting for integration branch creation to be requested by the user. To request integration branches, please comment on this pull request with the following command: Alternatively, the |
lib/routes/routeBackbeat.js
Outdated
| // The following makes sure that only replication destination-related operations (non-GET requests) | ||
| // target buckets with versioning enabled. | ||
| // This allows lifecycle operations (which use GET requests) to work on non-versioned buckets. | ||
| if (request.method !== 'GET' && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { |
There was a problem hiding this comment.
lifecycle does not only perform GET operations : it also deletes objects (expiration), deletes data associated with objects (transition and restored-object-expiration), and puts metadata of objects...
so i fear such broad filtering in the router may introduce other issues.
→ Is there a way instead to identify the few "actions" performed by CRR replication (e.g. putObjectVersion, putObjectMetadata), maybe with some additional condition on the parameters/fields, to confirm? Then the check cna be performed direclty in each of these action handlers.
→ Otherwise, may be better to "isolate" the calls with specific CRR/lifecycle routes, or maybe simply add an extra parameter to enforce the check (IfVersioned maybe ?)
→ Alternatively, instead of making it a "core" feature in the code, could it be achieve through policies? e.g. the replication user will not have permissions to write to non-versioned bucket? (need to check if this is a kind of policy we support or even can define, but would be an elegant and simple solution I think)
There was a problem hiding this comment.
- S3C Lifecycle expiration (transition is not supported yet) only uses backbeat client GET operation:
getMetadata. Delete object/version is done by the S3 client itself that uses the s3 route.
Is there a way instead to identify the few "actions" performed by CRR replication (e.g. putObjectVersion, putObjectMetadata)
-
Replication uses
putData,putMetadataandbatchDelete's backebatAPI routes. Limiting the versioning check to those actions makes sense and is more explicit. HoweverputMetadatais also used by lifecycle transition so it will not solve the lifecycle transition future implementation. -
This PR is a fix, so I am not comfortable introducing new CRR/lifeycle routes for it. But it will be needed once we introduce lifecycle transition in S3C.
the replication user will not have permissions to write to non-versioned bucket?
- I thought about it, but it does not exist.
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
lib/routes/routeBackbeat.js
Outdated
| // The following makes sure that only replication destination-related operations (non-GET requests) | ||
| // target buckets with versioning enabled. | ||
| // This allows lifecycle operations (which use GET requests) to work on non-versioned buckets. | ||
| if (request.method !== 'GET' && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { |
There was a problem hiding this comment.
Replication is supposed to work on any versioned bucket : so it must work as well on version-suspended buckets
| if (request.method !== 'GET' && (!versioningConfig || versioningConfig.Status !== 'Enabled')) { | |
| if (request.method !== 'GET' && (!versioningConfig || versioningConfig.Status === 'Disabled')) { |
There was a problem hiding this comment.
In CRR replication both source and replication have to be version enabled. I will keep enforcing it.
Incorrect fix versionThe
Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:
Please check the |
Context: In Artesca, when creating a location (whether used for replication or not), you specify both the endpoint and the bucket name where data will be stored. At this stage, Zenko checks that the bucket has versioning enabled. In S3C, it is a bit different, a “replication location” consists of a list of S3C endpoints (replicationEndpoints), and the destination bucket is specified later in the API replication rule (with put-bucket-replication API). Currently, S3C does not check if the destination bucket has versioning enabled. This means data could be replicated from a versioned source bucket to a non-versioned or suspended destination bucket, which can cause issues. e.g. https://scality.atlassian.net/browse/S3C-821 Current solution: A validation step was added to the Backbeat API in cloudserver. This check rejects any requests made to buckets that either do not have versioning enabled or have versioning suspended. This check makes sure the Backbeat API only works with buckets that have versioning enabled. This prevents operations on destination buckets where versioning is disabled or suspended, hense maintaining proper version control. On the source, we should be fine. Cloudserver prevents setting up replication on a bucket if its versioning is disabled or suspended, and it prevents changing a bucket’s versioning to suspended while replication is ongoing. Issue: The Backbeat API is also used for lifecycle, which works on both versioned and non-versioned buckets. The current versioning check affects the lifecycle operations, which should be allowed on non-versioned buckets. Proposed solution: Modify the Backbeat API to apply the bucket versioning check only to actions related to the replication destination buckets (such as PUT, POST, and DELETE requests). Allow GET actions like getMetadata and headLocation, which are used in workflows that don’t affect replication destination buckets. This change will ensure that replication only targets versioned buckets and allows lifecycle operations on non-versioned buckets.
nicolas2bert
force-pushed
the
bugfix/CLDSRV-584/backbeat-api
branch
from
87a5fbf to
b5160b9
Compare
Context:
In Artesca, when creating a location (whether used for replication or not), you specify both the endpoint and the bucket name where data will be stored. At this stage, Zenko checks that the bucket has versioning enabled.
In S3C, it is a bit different, a “replication location” consists of a list of S3C endpoints (replicationEndpoints), and the destination bucket is specified later in the API replication rule (with put-bucket-replication API). Currently, S3C does not check if the destination bucket has versioning enabled. This means data could be replicated from a versioned source bucket to a non-versioned or suspended destination bucket, which can cause issues. e.g. https://scality.atlassian.net/browse/S3C-821
Current solution:
A validation step was added to the Backbeat API in cloudserver. This check rejects any requests made to buckets that either do not have versioning enabled or have versioning suspended. This check makes sure the Backbeat API only works with buckets that have versioning enabled. This prevents operations on destination buckets where versioning is disabled or suspended, hense maintaining proper version control.
On the source, we should be fine. Cloudserver prevents setting up replication on a bucket if its versioning is disabled or suspended, and it prevents changing a bucket’s versioning to suspended while replication is ongoing.
Issue:
The Backbeat API is also used for lifecycle, which works on both versioned and non-versioned buckets. The current versioning check affects the lifecycle operations, which should be allowed on non-versioned buckets.
Proposed solution:
Modify the Backbeat API to apply the bucket versioning check only to actions related to the replication destination buckets (such as PUT, POST, and DELETE requests).
Allow GET actions like getMetadata and headLocation, which are used in workflows that don’t affect replication destination buckets.
This change will ensure that replication only targets versioned buckets and allows lifecycle operations on non-versioned buckets.