Actions
Bug #63724
openobject lock: An object uploaded through a multipart upload can be deleted without the x-amz-bypass-governance-retention header
% Done:
0%
Source:
Tags:
object-lock backport_processed
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Description
Set object locks on buckets and upload objects to buckets. Objects can be deleted without the x-amz-bypass-governance-retention header.
Set object locks on buckets and upload objects.
from datetime import datetime
def _add_header(request, **kwargs):
request.headers.add_header('x-amz-bypass-governance-retention', "true")
event_system = s3_client.meta.events
event_system.register_first('before-sign.s3.*', _add_header)
s3_client.create_bucket(Bucket=bucketname, ObjectLockEnabledForBucket=True)
s3_client.put_object_lock_configuration(
Bucket=bucketname,
ObjectLockConfiguration={
'ObjectLockEnabled': 'Enabled',
'Rule': {
'DefaultRetention': {
'Mode': 'GOVERNANCE', # COMPLIANCE || GOVERNANCE
'Days': 1,
# 'Years':123
}
}
}
)
mpu = s3_client.create_multipart_upload(Bucket=bucketname,Key=objectname,ObjectLockLegalHoldStatus='ON')
uploadid = mpu["UploadId"]
part_info = {'Parts': []}
res = s3_client.upload_part(Bucket=bucketname, Key=objectname, PartNumber=1, UploadId=uploadid, Body="a"*1024*3)
part_info['Parts'].append({'PartNumber': 1, 'ETag': res['ETag']})
s3_client.complete_multipart_upload(Bucket=bucketname, Key=objectname, UploadId=uploadid, MultipartUpload=part_info)
resp = s3_client.get_object_retention(Bucket=bucketname, Key=objectname)
print(resp['Retention'])
The result of the script is as follows.
@5257f20a581e ▶ python3 worm_test.py
{'Mode': 'GOVERNANCE', 'RetainUntilDate': datetime.datetime(2023, 12, 5, 7, 16, 56, 655410, tzinfo=tzlocal())}
@5257f20a581e ▶ s3cmd ls s3://buck-lock
2023-12-04 08:32 3072 s3://buck-lock/50M
Deletes the object without a BypassGovernanceRetention header.
resp = s3_client.get_object_retention(Bucket=bucketname, Key=objectname)
print(resp['Retention'])
s3_client.delete_object(Bucket=bucketname, Key=objectname)
The result of the script is as follows. Even if object locks are set on the bucket, objects uploaded through multipart upload can still be deleted
@5257f20a581e ▶ python3 worm_test2.py
{'Mode': 'GOVERNANCE', 'RetainUntilDate': datetime.datetime(2023, 12, 5, 7, 16, 56, 655410, tzinfo=tzlocal())}
…/xx/ceph/build loacl_ceph via △ v3.20.2 v3.9.18 took 2s
@5257f20a581e ▶ s3cmd ls s3://buck-lock
…/xx/ceph/build loacl_ceph via △ v3.20.2 v3.9.18
@5257f20a581e ▶
Actions