Bug #63724: object lock: An object uploaded through a multipart upload can be deleted without the x-amz-bypass-governance-retention header - rgw - Ceph

Actions

Copy link

Bug #63724

open

object lock: An object uploaded through a multipart upload can be deleted without the x-amz-bypass-governance-retention header

Added by djf daijufang 6 months ago. Updated 3 months ago.

Status:

Pending Backport

Priority:

High

Assignee:

Casey Bodley

Target version:

% Done:

Source:

Tags:

object-lock backport_processed

Backport:

quincy reef squid

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

54767

Crash signature (v1):

Crash signature (v2):

Description

Set object locks on buckets and upload objects to buckets. Objects can be deleted without the x-amz-bypass-governance-retention header.

Set object locks on buckets and upload objects.

from datetime import datetime

def _add_header(request, **kwargs):
    request.headers.add_header('x-amz-bypass-governance-retention', "true")
event_system = s3_client.meta.events
event_system.register_first('before-sign.s3.*', _add_header)

s3_client.create_bucket(Bucket=bucketname, ObjectLockEnabledForBucket=True)
s3_client.put_object_lock_configuration(
        Bucket=bucketname,
        ObjectLockConfiguration={
            'ObjectLockEnabled': 'Enabled',
            'Rule': {
                'DefaultRetention': {
                    'Mode': 'GOVERNANCE',  # COMPLIANCE || GOVERNANCE
                    'Days': 1,
                    # 'Years':123
                }
            }
        }
    )

mpu = s3_client.create_multipart_upload(Bucket=bucketname,Key=objectname,ObjectLockLegalHoldStatus='ON')
uploadid = mpu["UploadId"]
part_info = {'Parts': []}
res = s3_client.upload_part(Bucket=bucketname, Key=objectname, PartNumber=1, UploadId=uploadid, Body="a"*1024*3)
part_info['Parts'].append({'PartNumber': 1, 'ETag': res['ETag']})
s3_client.complete_multipart_upload(Bucket=bucketname, Key=objectname, UploadId=uploadid, MultipartUpload=part_info)

resp = s3_client.get_object_retention(Bucket=bucketname, Key=objectname)
print(resp['Retention'])

The result of the script is as follows.


@5257f20a581e ▶ python3 worm_test.py
{'Mode': 'GOVERNANCE', 'RetainUntilDate': datetime.datetime(2023, 12, 5, 7, 16, 56, 655410, tzinfo=tzlocal())}

@5257f20a581e ▶ s3cmd ls s3://buck-lock
2023-12-04 08:32         3072  s3://buck-lock/50M

Deletes the object without a BypassGovernanceRetention header.


resp = s3_client.get_object_retention(Bucket=bucketname, Key=objectname)
print(resp['Retention'])

s3_client.delete_object(Bucket=bucketname, Key=objectname)

The result of the script is as follows. Even if object locks are set on the bucket, objects uploaded through multipart upload can still be deleted


@5257f20a581e ▶ python3 worm_test2.py
{'Mode': 'GOVERNANCE', 'RetainUntilDate': datetime.datetime(2023, 12, 5, 7, 16, 56, 655410, tzinfo=tzlocal())}

…/xx/ceph/build   loacl_ceph via △ v3.20.2    v3.9.18 took 2s
@5257f20a581e ▶ s3cmd ls s3://buck-lock

…/xx/ceph/build   loacl_ceph via △ v3.20.2    v3.9.18
@5257f20a581e ▶

Related issues 3 (2 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » rgw

Custom queries

Bug #63724

object lock: An object uploaded through a multipart upload can be deleted without the x-amz-bypass-governance-retention header

Updated by djf daijufang 6 months ago

Updated by Casey Bodley 6 months ago

Updated by Casey Bodley 4 months ago

Updated by Casey Bodley 3 months ago

Updated by Casey Bodley 3 months ago

Updated by Casey Bodley 3 months ago

Updated by Casey Bodley 3 months ago

Updated by Backport Bot 3 months ago

Updated by Backport Bot 3 months ago

Updated by Backport Bot 3 months ago

Updated by Backport Bot 3 months ago