Bug #36530: Radosgw bucket policy does not work when applying to LDAP user - rgw - Ceph

Actions

Copy link

Bug #36530

open

Radosgw bucket policy does not work when applying to LDAP user

Added by Son Hai Ha over 5 years ago. Updated almost 3 years ago.

Status:

In Progress

Priority:

Normal

Assignee:

Pritha Srivastava

Target version:

% Done:

Source:

Community (user)

Tags:

rgw, ldap, bucket policy

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

Ceph - v13.2.1

ceph-qa-suite:

rgw

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

Hello,

I create a bucket by a normal rgw user (named ceph-dashboard) and then use the bucket policy to share that bucket to an LDAP user.

The detail on the bucket policy is as below:

[sonhaiha@DEFRXXXX500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
s3://shared-bucket/ (bucket):
   Location:  us-east-1
   Payer:     BucketOwner
   Expiration Rule: none
   Policy:    {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::shared-bucket",
      "arn:aws:s3:::shared-bucket/*" 
    ]
  }]
}

   CORS:      none
   ACL:       Ceph Dashboard: FULL_CONTROL

I found that, the rgw server does not found the permission for ldap user:

2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026275:s3:GET /shared-bucket/:list_bucket:recalculating target
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026288:s3:GET /shared-bucket/:list_bucket:reading permissions
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026291:s3:GET /shared-bucket/:list_bucket:init op
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026292:s3:GET /shared-bucket/:list_bucket:verifying op mask
2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026295:s3:GET /shared-bucket/:list_bucket:verifying op permissions
2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with perm_mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0) mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for uid=sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for uid=sonhaiha$sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=1 mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=2 mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 -- Getting permissions done for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0

At first, I thought that it was because of the "type" of the users are different (rgw and ldap type) so the "principal" in the bucket policy has different format. But by exchanging email with some experienced users from the mailing list, they said that the format for principal should be the same. So I don't know where the problem could be. Below is the setting for our LDAP server.

rgw_ldap_binddn = CN=DE-SVCAAPdexLDAPBIND,OU=User,OU=ServiceAccounts,DC=example,DC=com
rgw_ldap_dnattr = name
rgw_ldap_searchdn = ou=Professional,ou=User,DC=example,DC=com
rgw_ldap_searchfilter = memberOf=CN=DE-SG ITS AAP Test Users,OU=Groups,DC=example,DC=com
rgw_ldap_secret = /etc/ceph/bindpass
rgw_ldap_uri = ldaps://DEFR2XXXX.example.com:636
rgw_s3_auth_use_ldap = True

If I use the ldap user to create the bucket and share it to the normal rgw user, it will work fine.

I think this could be a bug.

Files

Download all files

ldap_user_shares_bucket_to_rgw_user.log (23.6 KB) ldap_user_shares_bucket_to_rgw_user.log		Son Hai Ha, 10/19/2018 09:24 AM
rgw_user_shares_bucket_to_ldap_user.log (20.2 KB) rgw_user_shares_bucket_to_ldap_user.log		Son Hai Ha, 10/19/2018 09:24 AM
user_metadata.txt (1.64 KB) user_metadata.txt		Son Hai Ha, 10/19/2018 09:28 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » rgw

Custom queries

Bug #36530

Radosgw bucket policy does not work when applying to LDAP user

Updated by John Spray over 5 years ago

Updated by Son Hai Ha over 5 years ago

Updated by Matt Benjamin over 5 years ago

Updated by Adam Emerson over 5 years ago

Updated by Thomas Kriechbaumer almost 5 years ago

Updated by Dan Williams over 3 years ago

Updated by Ian Marsh over 3 years ago

Updated by Matt Benjamin over 3 years ago

Updated by Matt Benjamin over 3 years ago

Updated by Ian Marsh over 3 years ago

Updated by Matt Benjamin over 3 years ago

Updated by Ian Marsh over 3 years ago

Updated by Adam Emerson almost 3 years ago