Bug #63751
closedRGW/IAM-STS: Permission policies are not honored
0%
Description
There's 2 related topics/issues here.
rgw admin has no visibility in who owns which roles¶
- "role create" doesn’t make use of user id (—uid) info.
- "role list" gives no visibility to the admin wrt who owns the roles.
- likewise, when a rest/s3 user/client creates a role, an admin doesn't have visibility wrt owner of the role as "tenant" is not generally used.
policy permissions are not honored¶
A random s3 user, regardless of whether it's listed in the trust policy or not and regardless of whether such a user has already assumed the trust policy or not, can delete another user's role or take actions (e.g., put policy, delete policy, etc.) on another user's role - which is a critical privacy/security gap.
Raised the s3-test PR that reproduces this problem: https://github.com/ceph/s3-tests/pull/535.
The test test_role_ownership__delete_role_without_permission fails with
FAILED s3tests_boto3/functional/test_sts.py::test_role_ownership__delete_role_without_permission - AssertionError: without acquiring DeleteRole permission, cannot delete other user's role
which shows that a random s3 user can delete some other user's role.
And, the test test_role_ownership__put_or_delete_policy_without_permission fails with
FAILED s3tests_boto3/functional/test_sts.py::test_role_ownership__put_or_delete_policy_without_permission - AssertionError: alt user put the policy although permission is not granted yet
which shows that a random s3 user can put a policy to some other user's role without obtaining PutPolicy permission.
Finally, testcase test_s3_ops shows how powerful the PutPolicy permission is.
Root Cause Analysis¶
At https://github.com/ceph/ceph/blob/cc1951a5d6d7a11185fc095b6ccd094f3b1273eb/src/rgw/rgw_rest_role.cc#L94, the method RGWRestRole::verify_permission (the default method for actions to verify whether the user has permission for that action), we currently check only user's capability. Instead of returning early, after verifying user has the required capability, we should also check permission policies. Owner of the role would have all the permissions implicitly so the owner of the role (if specified) can skip this check.
As a solution, raised PR https://github.com/ceph/ceph/pull/54826 for further review.
The fix resolves the new testcases added to s3-tests:test_sts.py. Other existing tests pass as well after the fix. There's 2 cases, though, that fail the same way before & after fix.
Updated by Pritha Srivastava 5 months ago
https://github.com/ceph/ceph/blob/cc1951a5d6d7a11185fc095b6ccd094f3b1273eb/src/rgw/rgw_rest_role.cc#L101, does check for a user's permission policies. Where exactly does the code return from in RGWRestRole::verify_permission?
Updated by Oguzhan Ozmen 5 months ago
Pritha Srivastava wrote:
https://github.com/ceph/ceph/blob/cc1951a5d6d7a11185fc095b6ccd094f3b1273eb/src/rgw/rgw_rest_role.cc#L101, does check for a user's permission policies. Where exactly does the code return from in RGWRestRole::verify_permission?
In these testcases, all users are given "roles:*" capability as a result https://github.com/ceph/ceph/blob/cc1951a5d6d7a11185fc095b6ccd094f3b1273eb/src/rgw/rgw_rest_role.cc#L94 always returns 0 and that's why verify_user_permission is not check.
AFAIU, what you're suggesting is, by design if all our rgw users (tenancies) are given "roles:*" capability, any user is allowed to perform any action on everyone else's role?
I mean - do you suggest the privacy gap we see is just by design?
Updated by Casey Bodley 4 months ago
- Status changed from New to Won't Fix
closing as 'not a bug' since this is the expected behavior with the admin caps. there's a lot of good discussion in https://github.com/ceph/ceph/pull/54826 and i'd like to keep exploring options there