Clarify what the requestor_pays flag does #3431
Conversation
GeorgianaElena
force-pushed
the
req-pay
branch
from
274c57d to
38e0d89
Compare
|
I just pushed a small commit updating the docs as well and believe it might be ready for review. Did you want to do add anything else to this @yuvipanda ? |
docs/howto/features/buckets.md
Outdated
| "public_access": true, | ||
| "requester_pays": true |
There was a problem hiding this comment.
@yuvipanda, do you think requester_pays has sense outside of a public access? Should these two flags be documented togheter?
There was a problem hiding this comment.
Ah, great question @GeorgianaElena.
Right now, we don't actually have a terraform variable called requstor_pays (see list for gcp and aws for what we do have). So we currently don't have a way to mark a bucket as requestor pays via our terraform.
It's not super hard to implement (pass through to gcp config or this aws resource), so we should implement it if / when a community asks to make one of their buckets into requestor_pays.
It may also be helpful to rename public_access to public_anonymous_access - basically, it currently means that anyone can access that bucket, without needing to provide any authentication at all. But since requestor_pays requires that the entity requesting this be part of an AWS or GCP project, it by definition is authenticated - so GCP or AWS knows who to charge! This 'authentication' is what our hubs provide when we turn on the allow_access_to_requestor_pays_buckets flag.
So public_access (or public_anonymous_access) is actually mutually exclusive with requestor_pays. The first is fully unauthenticated, while the second requires authentication.
I hope this is helpful!
There was a problem hiding this comment.
Extremely helpful @yuvipanda! Thank you very much for taking the time to clarify this <3
docs/howto/features/buckets.md
Outdated
| Some hubs want to expose a particular bucket to the broad internet | ||
| but not be billed for the charges associated with making and executing the | ||
| requests on this bucket. | ||
|
|
||
| By enabling the [Requester Pays flag](https://cloud.google.com/storage/docs/using-requester-pays#using), | ||
| the requesters are required to include a billing project in their requests, | ||
| which will mean that the billing will happen on the requester's project. | ||
|
|
||
| Enabling Requester Pays is useful, for example, if the communities have a lot | ||
| of data that they want to make available to others, but don't want to be | ||
| charged for their access to that data. |
There was a problem hiding this comment.
... but this section sounds like the host hub is providing access to buckets inside their hub. Which is it? Can it be both? In what scenario is the bucket inside and what scenario is the bucket outside?
There was a problem hiding this comment.
Yes, it can be both. Requestor Pays is a feature that a bucket can have.
- If buckets outside the project have this flag, then we need to:
- set
hub_cloud_permissions.allow_access_to_requestor_pays_bucketsin the terraform config of a cluster (this config is simply calledrequestor_payswithout this PR, which was the source of confusion for me). - This is to allow them to be charged on their project for access of such outside buckets
- set
- But buckets that we set for communities, inside their projects can also have this feature enabled on them, which means that other people outside will be charged for their usage.
- This can be enabled by setting
user_buckets.<bucket_name>.requester_paysto true in the terraform config of the cluster. - I don't think we have any buckets like this yet, but was recently requested by leap in https://2i2c.freshdesk.com/a/tickets/1316
- This can be enabled by setting
There was a problem hiding this comment.
Does the above has more sense @sgibson91? I will update the language in the docs as well to make the split and differences more clear.
There was a problem hiding this comment.
Yeah, thank you - though I'm wondering if it should be hub_cloud_permissions.allow_access_to_external_requester_pays_buckets to be crystal clear? Though I realise it's getting kinda long.
There was a problem hiding this comment.
I just want to say that https://github.com/2i2c-org/infrastructure/pull/3431/files#r1495651158 is an accurate description of the situation! Only difference is that right now,
This can be enabled by setting user_buckets.<bucket_name>.requester_pays to true in the terraform config of the cluster.
is not true because we don't have that implemented.
There was a problem hiding this comment.
Let's simplify this PR to:
- Renaming the existing
requestor_paystoallow_access_to_external_requestor_pays_buckets(as @sgibson91 suggested in https://github.com/2i2c-org/infrastructure/pull/3431/files#r1495801966) for clarity - Document what exactly that does in clearer terms. I think your words here (https://github.com/2i2c-org/infrastructure/pull/3431/files#diff-022e962ded687634ecdad02e21584d886b7e0ed8002cd91e2e9b94f5637c289cR58) are great, and maybe can be ported to the features page?
- Open an issue to track the new feature request of marking a bucket we manage as
requestor_paysto the outside world.
I hope this helps! I can't 'request changes' because this is my own PR, but thanks for picking this up, @GeorgianaElena
docs/howto/features/buckets.md
Outdated
| Some hubs want to expose a particular bucket to the broad internet | ||
| but not be billed for the charges associated with making and executing the | ||
| requests on this bucket. | ||
|
|
||
| By enabling the [Requester Pays flag](https://cloud.google.com/storage/docs/using-requester-pays#using), | ||
| the requesters are required to include a billing project in their requests, | ||
| which will mean that the billing will happen on the requester's project. | ||
|
|
||
| Enabling Requester Pays is useful, for example, if the communities have a lot | ||
| of data that they want to make available to others, but don't want to be | ||
| charged for their access to that data. |
There was a problem hiding this comment.
I just want to say that https://github.com/2i2c-org/infrastructure/pull/3431/files#r1495651158 is an accurate description of the situation! Only difference is that right now,
This can be enabled by setting user_buckets.<bucket_name>.requester_pays to true in the terraform config of the cluster.
is not true because we don't have that implemented.
…ate docs language for clarity
|
I've updated the PR per instructions and the terraform config of the clusters. I've also opened the follow-up issue, so this should be ready for review again 🚀 |
Co-authored-by: Sarah Gibson <[email protected]>
|
Yuhuuu! Thank you @sgibson91! |
|
And thank you @yuvipanda for shining light over this confusing topic 🎉 |
|
This is great work @GeorgianaElena! |
Reference: https://2i2c.slack.com/archives/C055A1J1DRP/p1700050896750479