Actions
Bug #23817
closedBucket policy and colons in filename
% Done:
0%
Source:
Tags:
Backport:
luminous mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Hello.
I see strange behavior on files with colons in filename. Bucket policy not applied for its.
Example:
1. Create policy like this and set it to bucket.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::admin"]},
"Action": "*",
"Resource": [
"arn:aws:s3:::test/*"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": [
"arn:aws:s3:::test/*"
]
}]
}
2. Upload file without colons in name and try to get it from anonymous user. It should work fine.
3. Upload file with colons in name and try to get it from anonymous user. You should get 403 error:
>> s3cmd put /tmp/file s3://test/test:file
>> curl http://rgw:7480/test/test:file -D-
HTTP/1.1 403 Forbidden
Content-Length: 214
x-amz-request-id: tx00000000000000017737a-005adb746a-ff06-default
Accept-Ranges: bytes
Content-Type: application/xml
Date: Sat, 21 Apr 2018 17:27:06 GMT
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>test</BucketName><RequestId>tx00000000000000017737a-005adb746a-ff06-default</RequestId><HostId>ff06-default-default</HostId></Error>
I found workaround, files uploaded with public acl (-P key for s3cmd) works fine, but this is not a good solution.
My ceph version: 12.2.4
Actions