Bug #61954
openUploadPartCopy fails with 403 if subuser access is granted by bucket policy
0%
Description
Here is the scenario:
The cluster is upgraded from Octopus to Pacific. A subuser, who has full access to a bucket through a bucket policy, gets 403 while trying to rename/copy a large object on that bucket.
It works fine if on Octopus. Also, on Pacific it works if the subuser has "--access=full-access". But if the subuser's access is "none" and the access is granted by a bucket policy, it fails.
More precisely, from the logs looks like the UploadPartCopy fails to write on the bucket:
2023-07-11T12:46:55.163+0330 7f0886172700 2 req 2045520110528258252 0.000000000s s3:put_obj verifying op mask
2023-07-11T12:46:55.163+0330 7f0886172700 20 req 2045520110528258252 0.000000000s s3:put_obj required_mask= 2 user.op_mask=7
2023-07-11T12:46:55.163+0330 7f0886172700 2 req 2045520110528258252 0.000000000s s3:put_obj verifying op permissions
2023-07-11T12:46:55.163+0330 7f0886172700 20 req 2045520110528258252 0.000000000s s3:put_obj get_obj_state: rctx=0x7f093d785a30 obj=moti:largeobject state=0x55f5ff23c9e8 s->prefetch_data=1
2023-07-11T12:46:55.167+0330 7f087a95b700 10 req 2045520110528258252 0.003999937s s3:put_obj manifest: total_size = 13631488
2023-07-11T12:46:55.167+0330 7f087a95b700 20 req 2045520110528258252 0.003999937s s3:put_obj get_obj_state: setting s->obj_tag to ...
2023-07-11T12:46:55.167+0330 7f087a95b700 15 req 2045520110528258252 0.003999937s s3:put_obj decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>...</ID><DisplayName>...</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>...</ID><DisplayName>...</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2023-07-11T12:46:55.167+0330 7f087a95b700 20 req 2045520110528258252 0.003999937s s3:put_obj -- Getting permissions begin with perm_mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0) mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for uid=...
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Found permission: 15
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for group=1 mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Permissions for group not found
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for group=2 mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj Permissions for group not found
2023-07-11T12:46:55.167+0330 7f087a95b700 5 req 2045520110528258252 0.003999937s s3:put_obj -- Getting permissions done for identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0), owner=..., perm=1
2023-07-11T12:46:55.167+0330 7f087a95b700 10 req 2045520110528258252 0.003999937s s3:put_obj identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0) requested perm (type)=1, policy perm=1, user_perm_mask=0, acl perm=0
2023-07-11T12:46:55.167+0330 7f087a95b700 1 req 2045520110528258252 0.003999937s op->ERRORHANDLER: err_no=-13 new_err_no=-13
2023-07-11T12:46:55.167+0330 7f087a95b700 2 req 2045520110528258252 0.003999937s s3:put_obj op status=0
2023-07-11T12:46:55.167+0330 7f087a95b700 2 req 2045520110528258252 0.003999937s s3:put_obj http status=403
And this is the bucket policy:
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/userid:suserid"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
Updated by Casey Bodley 8 months ago
- Subject changed from UploadPartCopy fails with 403 if access is granted by bucket policy to UploadPartCopy fails with 403 if subuser access is granted by bucket policy
Updated by Wei Wang 7 months ago
Changes introduced by https://github.com/ceph/ceph/pull/36798 use a cached copy_source_bucket_info, thus lost bucket policy information. Additionally,read_obj_policy pass an empty cs_attrs as argument instead of cs_bucket->get_attrs(), so get_iam_policy_from_attr can not find anything.