rgw: user accounts implementation

[cbodley]

user account design document in #54045

this revives previous work from #46373 (which iself was based on Abhishek's #35726). that became too painful to faithfully rebase, so i've reimplemented parts of it instead; i'll be sure to credit Abhishek for his work in the final commits

TODO

Account metadata

• struct RGWAccountInfo
• requirements for account ids and name (rgw::account::validate_id/name())
• rgw::sal::Driver interfaces to read/write
• admin ops to create/modify/list/remove account metadata
• add email, and ensure it's globally unique (including user emails)

User metadata

• add RGWUserInfo::account_id member
• support --account-id argument for user modify to migrate existing legacy/non-account users into an account. account id can't change after
• migrating a user should also migrate the user's buckets, changing their owner to the account
• add other metadata fields needed for IAM User APIs (Path/Arn/CreateDate)
• match user paths in iam policy principals

Role metadata

• add RGWRoleInfo::account_id member
• index account roles in the {account}.roles omap
• within an account, role names don't have to be globally unique - don't store the 'path' object in rados, use omap for listing

Group metadata

• struct RGWGroupInfo
• rgw::sal::Driver interfaces to read/write/list
• metadata handler for multisite replication

Topic metadata

• change owner from rgw_user to rgw_owner
• index account topics in the {account}.topics omap

RadosStore

• implement account interfaces for RadosStore
• use cls_user to track stats in {account}.buckets the same way users do in {user}.buckets
• extend cls_user to track {account}.users, {account}.roles, {account}.groups (started in cls/user: add interfaces to index user account resources #54563)
• RGWBucketMetadataHandler: on change to RGWBucketEntryPoint::owner, update linkage in {user}.buckets and/or {account}.buckets objects via cls_user
• RGWUserMetadataHandler: on change to RGWUserInfo::account_id, update linkage in {account}.users via cls_user

ACLs

• ACLOwner and CanonicalUser grants can either be a user id string or an account id string
• AmazonCustomerByEmail supports account emails in addition to user emails
• resources created by a user in an account use account id for default ACLOwner and FULL_CONTROL Grant
• use account name for DisplayName

IAM Policy

• Principal: disambiguate 'tenant' and 'account' principals using rgw::account::validate_id()
• match 'account' principals against RGWUserInfo::account_id instead of RGWUserInfo::user_id.tenant
• load group policies for use in verify_permission
• support managed policies like AmazonS3FullAccess for AttachUserPolicy/AttachRolePolicy
• implement cross-account policy evaluation
• integrate 'account root' users into policy evaluation

Bucket Ownership

• RGWBucketInfo::owner uses rgw_owner variant which can either be rgw_user or rgw_account_id
• buckets created by a user/role in an account are owned by the account
• rgw_quota.cc accumulates/flushes account stats similar to user stats based on RGWBucketInfo::owner
• ListBuckets can list from the owning account

IAM APIs

• CreateUser, GetUser, UpdateUser, DeleteUser, ListUsers apis (ex https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html)
• AccessKey APIs
• adapt existing Role APIs to account permission model
• adapt existing UserPolicy APIs to account permission model
• adapt existing Topic APIs to account permission model
• adapt existing OpenIDConnectProvider APIs to account permission model
• Group/GroupPolicy APIs

Testing

• add account root user to s3tests config for iam api tests
• s3tests cases for new apis in test_iam.py (User apis started in iam: add tests for account-based IAM apis s3-tests#537)
• s3tests for account ids in bucket policy
• in teuthology, run s3tests in configurations where the 's3 main' and 's3 tenant' users belong to an account
• in teuthology, create account-root users for s3test config [iam root] and [iam alt root] to run iam_account and cross_account tests
• test user migration into an account and verify access to existing buckets/objects
• test account stats and quota enforcement
• multisite test cases for sync of account metadata and related indices

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[BBoozmen]

How is bucket quota managed for an account?

For a non-accounted rgw user, we can set user and bucket level quotas and both are visible in user info:

$ radosgw-admin user info --uid=ihummel | jq '.user_quota, .bucket_quota'
{
  "enabled": true,
  "check_on_raw": false,
  "max_size": 4028225472512,
  "max_size_kb": 3933813938,
  "max_objects": -1
}
{
  "enabled": true,
  "check_on_raw": false,
  "max_size": -1024,
  "max_size_kb": 0,
  "max_objects": 20000000
}

However, for an account, we can only set account level quota:

radosgw-admin account get --account-id=RGW12345678912345677 | jq '.quota'
{
        "enabled": false,
        "check_on_raw": false,
        "max_size": 2048,
        "max_size_kb": 2,
        "max_objects": -1
}

Shouldn't we also be able to set/view bucket quotas given an account?

[cbodley]

Shouldn't we also be able to set/view bucket quotas given an account?

@BBoozmen you can set bucket quotas directly on the buckets, so this didn't seem useful to me. if you disagree, would you open a tracker issue with a feature request? i'm trying to get this pr merged for squid asap

[BBoozmen]

Shouldn't we also be able to set/view bucket quotas given an account?

@BBoozmen you can set bucket quotas directly on the buckets, so this didn't seem useful to me. if you disagree, would you open a tracker issue with a feature request? i'm trying to get this pr merged for squid asap

Sounds good. We can discuss this as a separate item.

[cbodley]

jenkins retest this please

[cbodley]

The slave crashed or was restarted

[cbodley]

jenkins test make check

[cbodley]

the rgw/notifications tests are failing with An error occurred (AuthorizationError) when calling the CreateTopic operation after rebase over #55661, which changed verify_user_permissions() for subusers. i've opened #56838 to revert that change..

[cbodley]

the rgw/notifications tests are failing with An error occurred (AuthorizationError) when calling the CreateTopic operation after rebase over #55661, which changed verify_user_permissions() for subusers. i've opened #56838 to revert that change..

@yuvalif the new test_ps_s3_persistent_notification_http_account test case was failing after that. i had to add another commit to teach wait_for_queue_to_drain() to add the --account-id argument to topic stats

[cbodley]

passed qa in https://pulpito.ceph.com/cbodley-2024-04-12_12:44:47-rgw-wip-rgw-account-v3-distro-default-smithi/ with rerun https://pulpito.ceph.com/cbodley-2024-04-12_16:16:29-rgw-wip-rgw-account-v3-distro-default-smithi/