Project

General

Profile

Actions
Copy link

Bug #61954

open

UploadPartCopy fails with 403 if subuser access is granted by bucket policy

Added by Amir Malekzadeh 10 months ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
Yes
Severity:
1 - critical
Reviewed:
Affected Versions:
Ceph - v16.2.13
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Here is the scenario:
The cluster is upgraded from Octopus to Pacific. A subuser, who has full access to a bucket through a bucket policy, gets 403 while trying to rename/copy a large object on that bucket.
It works fine if on Octopus. Also, on Pacific it works if the subuser has "--access=full-access". But if the subuser's access is "none" and the access is granted by a bucket policy, it fails.
More precisely, from the logs looks like the UploadPartCopy fails to write on the bucket:

2023-07-11T12:46:55.163+0330 7f0886172700  2 req 2045520110528258252 0.000000000s s3:put_obj verifying op mask
2023-07-11T12:46:55.163+0330 7f0886172700 20 req 2045520110528258252 0.000000000s s3:put_obj required_mask= 2 user.op_mask=7
2023-07-11T12:46:55.163+0330 7f0886172700  2 req 2045520110528258252 0.000000000s s3:put_obj verifying op permissions
2023-07-11T12:46:55.163+0330 7f0886172700 20 req 2045520110528258252 0.000000000s s3:put_obj get_obj_state: rctx=0x7f093d785a30 obj=moti:largeobject state=0x55f5ff23c9e8 s->prefetch_data=1
2023-07-11T12:46:55.167+0330 7f087a95b700 10 req 2045520110528258252 0.003999937s s3:put_obj manifest: total_size = 13631488
2023-07-11T12:46:55.167+0330 7f087a95b700 20 req 2045520110528258252 0.003999937s s3:put_obj get_obj_state: setting s->obj_tag to ...
2023-07-11T12:46:55.167+0330 7f087a95b700 15 req 2045520110528258252 0.003999937s s3:put_obj decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>...</ID><DisplayName>...</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>...</ID><DisplayName>...</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2023-07-11T12:46:55.167+0330 7f087a95b700 20 req 2045520110528258252 0.003999937s s3:put_obj -- Getting permissions begin with perm_mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0) mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for uid=...
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Found permission: 15
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for group=1 mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Permissions for group not found
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Searching permissions for group=2 mask=49
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj Permissions for group not found
2023-07-11T12:46:55.167+0330 7f087a95b700  5 req 2045520110528258252 0.003999937s s3:put_obj -- Getting permissions done for identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0), owner=..., perm=1
2023-07-11T12:46:55.167+0330 7f087a95b700 10 req 2045520110528258252 0.003999937s s3:put_obj  identity=rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=..., acct_name=..., subuser=..., perm_mask=0, is_admin=0) requested perm (type)=1, policy perm=1, user_perm_mask=0, acl perm=0
2023-07-11T12:46:55.167+0330 7f087a95b700  1 req 2045520110528258252 0.003999937s op->ERRORHANDLER: err_no=-13 new_err_no=-13
2023-07-11T12:46:55.167+0330 7f087a95b700  2 req 2045520110528258252 0.003999937s s3:put_obj op status=0
2023-07-11T12:46:55.167+0330 7f087a95b700  2 req 2045520110528258252 0.003999937s s3:put_obj http status=403

And this is the bucket policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::user/userid:suserid" 
            },
            "Action": "*",
            "Resource": [
                    "arn:aws:s3:::bucketname",
                    "arn:aws:s3:::bucketname/*" 
            ]
        }
    ]
}
Actions
Copy link
 #1

Updated by Casey Bodley 8 months ago

  • Subject changed from UploadPartCopy fails with 403 if access is granted by bucket policy to UploadPartCopy fails with 403 if subuser access is granted by bucket policy
Actions
Copy link
 #2

Updated by Wei Wang 7 months ago

https://github.com/ceph/ceph/blob/03e43c5bb08452b06a89c14de5a9ff7f9f82a3e1/src/rgw/rgw_op.cc#L3690-L3714

Changes introduced by https://github.com/ceph/ceph/pull/36798 use a cached copy_source_bucket_info, thus lost bucket policy information. Additionally,read_obj_policy pass an empty cs_attrs as argument instead of cs_bucket->get_attrs(), so get_iam_policy_from_attr can not find anything.

Actions
Copy link

Also available in: Atom PDF