Project

General

Profile

Bug #21013

RGW: Get Bucket ACL does not honor the s3:GetBucketACL action

Added by Abhishek Lekshmanan over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Target version:
-
Start date:
08/16/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

We seem to use GetObjectACL for both object and bucket acl and not support GetBucketACL

import boto3
import json

from botocore.client import Config
if __name__ == "__main__":
    s3 = boto3.client('s3','us-east-1', endpoint_url='http://localhost:8000',
                      aws_access_key_id = 'access1',
                      aws_secret_access_key = 'secret1',
    #                  config = Config(signature_version='s3')
    )

    s3_2 = boto3.client('s3','us-east-1', endpoint_url='http://localhost:8000',
                      aws_access_key_id = 'access2',
                      aws_secret_access_key = 'secret2',
    #                  config = Config(signature_version='s3')
    )

    bucket_name = 'policytest'
    b = s3.create_bucket(Bucket = bucket_name)
    bucket_policy = {
    'Version': '2012-10-17',
    'Statement': [{
        'Sid': 'AddPerm',
        'Effect': 'Allow',
        'Principal': '*',
        'Action': ['s3:GetBucketAcl'],
        'Resource': "arn:aws:s3:::%s" % bucket_name,
    }]
    }

    bucket_policy = json.dumps(bucket_policy)
    s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
    orig_bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
    print ("original acl")
    print (json.dumps(orig_bucket_acl, indent=2))
    bucket_acl = s3_2.get_bucket_acl(Bucket=bucket_name)
    print (json.dumps(bucket_acl, indent=2))

This would error out currently and pass if we change the conditional to `s3:GetObjectACL` instead


Related issues

Copied to rgw - Backport #21056: RGW: Get Bucket ACL does not honor the s3:GetBucketACL action Resolved

History

#1 Updated by Abhishek Lekshmanan over 1 year ago

  • Description updated (diff)

#3 Updated by Abhishek Lekshmanan over 1 year ago

  • Status changed from New to Need Review

#4 Updated by Abhishek Lekshmanan over 1 year ago

  • Status changed from Need Review to Need Test

#5 Updated by Yuri Weinstein about 1 year ago

Abhishek Lekshmanan wrote:

master pr: https://github.com/ceph/ceph/pull/17050

merged

#6 Updated by Abhishek Lekshmanan about 1 year ago

  • Status changed from Need Test to Pending Backport

#7 Updated by Abhishek Lekshmanan about 1 year ago

  • Copied to Backport #21056: RGW: Get Bucket ACL does not honor the s3:GetBucketACL action added

#8 Updated by Nathan Cutler about 1 year ago

  • Backport changed from Luminous to luminous

#9 Updated by Abhishek Lekshmanan about 1 year ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF