Actions
Bug #43226
closedrgw: object version can be deleted without TOTP on bucket that has MFA Delete enabled.
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
It seems that an object version can be deleted without TOTP on bucket that has MFA Delete enabled.
- Environment: CentOS 7 + ceph octopus (master) installed through rpm packages built in shaman.
- TOTP generator: FreeOTP (Android).
[root@ceph-rpm ceph]# ceph -v ceph version 15.0.0-8192-gb976dc5 (b976dc5aa33344fd4736a8ae3a4dce9d4351864d) octopus (dev) [root@ceph-rpm ceph]# radosgw-admin mfa create --uid=dev --totp-serial=1 --totp-seed=23456723 --totp-seed-type=base32 [root@ceph-rpm ceph]# alias aws="aws --endpoint-url=http://localhost:8000" [root@ceph-rpm ceph]# aws s3api create-bucket --bucket test [root@ceph-rpm ceph]# aws s3api list-buckets { "Owner": { "DisplayName": "Dev Admin", "ID": "dev" }, "Buckets": [ { "CreationDate": "2019-12-10T11:49:53.781Z", "Name": "test" } ] } [root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test [root@ceph-rpm ceph]# [root@ceph-rpm ceph]# aws s3api put-bucket-versioning --bucket test --versioning-configuration '{"Status":"Enabled","MFADelete":"Enabled"}' --mfa '1 221402' [root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test { "Status": "Enabled", "MFADelete": "Enabled" } [root@ceph-rpm ceph]# aws s3api put-object --bucket test --key example --body CONTRIBUTING.rst { "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x", "ETag": "\"2551b46bd421838b7a5fca325f12818c\"" } [root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example { "Name": "test", "Versions": [ { "LastModified": "2019-12-10T12:12:41.776Z", "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x", "ETag": "\"2551b46bd421838b7a5fca325f12818c\"", "StorageClass": "STANDARD", "Key": "example", "Owner": { "DisplayName": "Dev Admin", "ID": "dev" }, "IsLatest": true, "Size": 640 } ], "MaxKeys": 1000, "Prefix": "", "KeyMarker": "example", "IsTruncated": false, "VersionIdMarker": "" } [root@ceph-rpm ceph]# aws s3api delete-object --bucket test --key example --version-id ZrRv3hX0CgbjNo9j4egnexvFTlPa--x { "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x" } [root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example { "MaxKeys": 1000, "Prefix": "", "Name": "test", "KeyMarker": "example", "IsTruncated": false, "VersionIdMarker": "" }
Actions