backport: S3 policy evaluated incorrectly

Bug #1847544 reported by Jesse Williamson
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Undecided
gerald.yang
Queens
Medium
Unassigned
ceph (Ubuntu)
Undecided
gerald.yang
Bionic
Medium
gerald.yang
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

[Impact]
If a user tries to access a non-existent bucket, it should get a 'NoSuchBucket' error message (404)
But if there is such a bucket which is belonged to another user, radosgw will return 'AccessDenied' error (403)
This is an incorrect error message, radosgw should return 404

[Test Case]
Create a user by radosgw-admin, then create a bucket through S3 by this user
Create another user and try to access the bucket created by the above user
The error message must be 'NoSuchBucket', not 'AccessDenied'

[Regression Potential]
Low, this patch checks
1. 'is_admin_of' and 'verify_permission' separately instead of 'and' the results of them
2. if the bucket policy allow the user to access this bucket
to make sure it returns the correct error code, so basically it checks the same thing as before but in the correct order

[Other Information]
Backport Ceph issue 38638 to Luminous.

If a user different from the owner (or even an anonymous user) does a GetObject/HeadObject on a non existing object, Radosgw returns status code 403, rather than the correct status 404.

A version of this was merged into Ceph master:
https://tracker.ceph.com/issues/38638
https://github.com/ceph/ceph/commit/5eb50b7d10da51db72f705807c87775562b79b63

And backported to luminous has been accepted:
https://tracker.ceph.com/issues/39272
https://github.com/ceph/ceph/commit/a752b21f549cc83745e35324387b85b3d039dfd2

Eric Desrochers (slashd)
tags: added: sts
description: updated
description: updated
description: updated
Eric Desrochers (slashd)
Changed in ceph (Ubuntu):
milestone: xenial-updates → none
Changed in ceph (Ubuntu):
assignee: Jesse Williamson (chardan) → gerald.yang (gerald-yang-tw)
status: New → In Progress
description: updated
tags: added: sts-sru-needed
Changed in ceph (Ubuntu Bionic):
assignee: nobody → gerald.yang (gerald-yang-tw)
status: New → In Progress
description: updated
tags: added: verification-needed-bionic
tags: removed: verification-needed-bionic
Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

Disco, Eoan and Focal has already included this fix

Changed in ceph (Ubuntu Focal):
status: In Progress → Won't Fix
Changed in ceph (Ubuntu Eoan):
status: New → Won't Fix
Changed in ceph (Ubuntu Disco):
status: New → Won't Fix
Changed in ceph (Ubuntu Focal):
assignee: gerald.yang (gerald-yang-tw) → nobody
Changed in cloud-archive:
status: New → In Progress
assignee: nobody → gerald.yang (gerald-yang-tw)
Revision history for this message
gerald.yang (gerald-yang-tw) wrote :

bionic patch

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "bionic.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
James Page (james-page)
Changed in ceph (Ubuntu):
status: In Progress → Won't Fix
Changed in ceph (Ubuntu Focal):
status: Won't Fix → Invalid
Changed in ceph (Ubuntu Eoan):
status: Won't Fix → Invalid
Changed in ceph (Ubuntu Disco):
status: Won't Fix → Invalid
Changed in ceph (Ubuntu):
status: Won't Fix → Invalid
Changed in cloud-archive:
status: In Progress → Invalid
Changed in ceph (Ubuntu Bionic):
importance: Undecided → Medium
Revision history for this message
James Page (james-page) wrote :

Uploaded to bionic-proposed for SRU team review.

Revision history for this message
James Page (james-page) wrote :

Fix included in recent point release (bug 1861793) - closing this bug as will be covered by upstream testing and general regression testing for point release.

Changed in ceph (Ubuntu Bionic):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers