start a vstart cluster with RGW
Add object locking to all bucket creations via a lua.
- upload the following script in
prerequestcontext:
-- enablog object lock on bucket creation
if Request.RGWOp == "create_bucket" then
Request.HTTP.Metadata["x-amz-bucket-object-lock-enabled"] = "true"
RGWDebugLog("object lock is enabled on bucket: " .. Request.Bucket.Name)
end- create a bucket without object locking enabled:
aws --endpoint-url http://127.0.0.1:8000 s3 mb s3://fish
- get the object lock status and verify it is enabled:
aws --endpoint-url http://127.0.0.1:8000 s3api get-object-lock-configuration --bucket fish
Prevent from buckets without an object lock from being created.
- upload the following script in
prerequestcontext:
-- enforcing object lock on bucket creation
if Request.RGWOp == "create_bucket" and
Request.HTTP.Metadata["x-amz-bucket-object-lock-enabled"] ~= "true" then
local original_name = Request.Bucket.Name
Request.Bucket.Name = ""
Request.Response.Message = "Bucket must have object lock enabled"
RGWDebugLog("object lock is missing on bucket: " .. original_name)
end- create a bucket without object locking enabled:
aws --endpoint-url http://127.0.0.1:8000 s3 mb s3://fish1 --debug
in the reply we should get InvalidBucketName and bucket must have object lock enabled as the error message.
<Error>
<Code>InvalidBucketName</Code>
<Message>Bucket must have object lock enabled</Message>
<BucketName></BucketName>
...
</Error>
- create a bucket with object locking enabled:
aws --endpoint-url http://127.0.0.1:8000 s3api create-bucket --bucket fish2 --object-lock-enabled-for-bucket
now the bucket should be created without any issue
Notes:
(1) the
postrequestcontext could be used to return a better error code, so we son't see "InvalidBucketName"(2) there is ongoing work to allow blocking a request explicitly: ceph/ceph#66065