Bug #58594: MultiPart Upload with Bucket Policy Fails - rgw - Ceph

Actions

Copy link

Bug #58594

open

MultiPart Upload with Bucket Policy Fails

Added by Aidan Damerell over 1 year ago. Updated 12 months ago.

Status:

Pending Backport

Priority:

Normal

Assignee:

Casey Bodley

Target version:

% Done:

Source:

Tags:

post multipart policy sse backport_processed

Backport:

quincy reef

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

50924

Crash signature (v1):

Crash signature (v2):

Description

When configuring a bucket with the following policy, any multi-part uploads are rejected:

{"Sid":"DenyUnencryptedUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"BUCKET_ARN/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}

From some digging it would appear the authorization checks found in `RGWPutObj::verify_permission` are not replicated in the `RGWPostObj::verify_permission` function and thus the `x-amz-server-side-encryption` header is never added to the authorization environment using `rgw_add_to_iam_environment`, currently `src/rgw/rgw_op.cc`:3697 on the main branch.

Related issues 2 (2 open — 0 closed)