Skip to content

Instantly share code, notes, and snippets.

@yuvalif

yuvalif/cross-tenant-notifications.md

Last active September 10, 2023 15:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yuvalif/60063dc67d981b387b382ff0f7f88d91 to your computer and use it in GitHub Desktop.
Save yuvalif/60063dc67d981b387b382ff0f7f88d91 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cross-tenant-notifications.md

Setup

  • start cluster:
MON=1 OSD=1 MDS=0 MGR=0 RGW=1 ../src/vstart.sh -n -d
  • create 2 tenanted users:
bin/radosgw-admin user create --display-name "Hello World" --tenant world --uid hello --access_key hello --secret_key world
bin/radosgw-admin user create --display-name "Ka Boom" --tenant boom --uid ka --access_key ka --secret_key boom
  • create topic for user 2:
AWS_ACCESS_KEY_ID=ka AWS_SECRET_ACCESS_KEY=boom aws --endpoint-url http://localhost:8000 sns create-topic --name=fishtopic \
  --attributes='{"push-endpoint": "http://localhost:10900"}'
  • create bucket and notification for user 2:
AWS_ACCESS_KEY_ID=ka AWS_SECRET_ACCESS_KEY=boom aws --endpoint-url http://localhost:8000 s3 mb s3://fish
AWS_ACCESS_KEY_ID=ka AWS_SECRET_ACCESS_KEY=boom aws --endpoint-url http://localhost:8000 s3api put-bucket-notification-configuration \
  --bucket fish --notification-configuration='{"TopicConfigurations": [{"Id": "notif1", "TopicArn": "arn:aws:sns:default:boom:fishtopic", "Events": []}]}'

Test

  • verify that user 2 can access the notification:
AWS_ACCESS_KEY_ID=ka AWS_SECRET_ACCESS_KEY=boom aws --endpoint-url http://localhost:8000 s3api get-bucket-notification-configuration \
  --bucket fish
  • 2nd user sets bucket policy to allow 1st user to access notifications on the bucket:
AWS_ACCESS_KEY_ID=ka AWS_SECRET_ACCESS_KEY=boom aws --endpoint-url http://localhost:8000 s3api put-bucket-policy --bucket fish --policy \
'{"Version": "2012-10-17", "Statement": [{"Sid": "Statement", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetBucketNotification", "s3:PutBucketNotification"], "Resource": "arn:aws:s3::boom:fish"}]}'
  • try to get the notification fro mthe 1st user passing bucket name in the format "tenant:bucket". this is done via the following script:
import boto3
from botocore.handlers import validate_bucket_name

tenant='boom'
bucket='fish'

client = boto3.client('s3',
        region_name='default', 
        use_ssl=False, 
        endpoint_url='http://localhost:8000',
        aws_access_key_id='hello',
        aws_secret_access_key='world')

# disabling bucket name validation to allow for the "tenant:bucket" format
client.meta.events.unregister("before-parameter-build.s3", validate_bucket_name)

response = client.get_bucket_notification_configuration(Bucket=f"{tenant}:{bucket}")
print(response)
  • to verify deletion works, use the above, with:
response = client.put_bucket_notification_configuration(Bucket=f"{tenant}:{bucket}", NotificationConfiguration={})
print(response)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment