backport: S3 policy evaluated incorrectly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Invalid
|
Undecided
|
gerald.yang | ||
Queens |
Won't Fix
|
Medium
|
Unassigned | ||
ceph (Ubuntu) |
Invalid
|
Undecided
|
gerald.yang | ||
Bionic |
Won't Fix
|
Medium
|
gerald.yang | ||
Disco |
Invalid
|
Undecided
|
Unassigned | ||
Eoan |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[Impact]
If a user tries to access a non-existent bucket, it should get a 'NoSuchBucket' error message (404)
But if there is such a bucket which is belonged to another user, radosgw will return 'AccessDenied' error (403)
This is an incorrect error message, radosgw should return 404
[Test Case]
Create a user by radosgw-admin, then create a bucket through S3 by this user
Create another user and try to access the bucket created by the above user
The error message must be 'NoSuchBucket', not 'AccessDenied'
[Regression Potential]
Low, this patch checks
1. 'is_admin_of' and 'verify_permission' separately instead of 'and' the results of them
2. if the bucket policy allow the user to access this bucket
to make sure it returns the correct error code, so basically it checks the same thing as before but in the correct order
[Other Information]
Backport Ceph issue 38638 to Luminous.
If a user different from the owner (or even an anonymous user) does a GetObject/
A version of this was merged into Ceph master:
https:/
https:/
And backported to luminous has been accepted:
https:/
https:/
tags: | added: sts |
description: | updated |
description: | updated |
description: | updated |
Changed in ceph (Ubuntu): | |
milestone: | xenial-updates → none |
Changed in ceph (Ubuntu): | |
assignee: | Jesse Williamson (chardan) → gerald.yang (gerald-yang-tw) |
status: | New → In Progress |
description: | updated |
tags: | added: sts-sru-needed |
Changed in ceph (Ubuntu Bionic): | |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
status: | New → In Progress |
description: | updated |
tags: | added: verification-needed-bionic |
tags: | removed: verification-needed-bionic |
Changed in cloud-archive: | |
status: | New → In Progress |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
Changed in ceph (Ubuntu): | |
status: | In Progress → Won't Fix |
Changed in ceph (Ubuntu Focal): | |
status: | Won't Fix → Invalid |
Changed in ceph (Ubuntu Eoan): | |
status: | Won't Fix → Invalid |
Changed in ceph (Ubuntu Disco): | |
status: | Won't Fix → Invalid |
Changed in ceph (Ubuntu): | |
status: | Won't Fix → Invalid |
Changed in cloud-archive: | |
status: | In Progress → Invalid |
Changed in ceph (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Disco, Eoan and Focal has already included this fix