Bug #21578
closeds3:GetBucketCORS/s3:PutBucketCORS policy fails with 403
0%
Description
Upstream counterpart to Red Had Bugzilla #1494140
After setting the policy, set_cors_xml()/set_cors() or get_cors_xml()/get_cors() fail to work.
Version-Release number of selected component (if applicable):
ceph-radosgw-12.2.0-2.el7cp.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Create a bucket with tenant user testx$tester
2. Write a bucket policy providing s3:GetBucketCORS/s3:PutBucketCORS to another user in the same or different tenant
3. After setting the policy, try setting/getting CORS configuration on the bucket using the permitted user credentials
Actual results:
S3ResponseError: 403 Forbidden
Expected results:
Should successfully allow the user to set/get CORS configuration.
Additional info:
Bucket policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::testy:user/u2"]},
"Action": ["s3:ListBucket", "s3:GetBucketCORS", "s3:PutBucketCORS"],
"Resource": [
"arn:aws:s3::*:my-bucket",
"arn:aws:s3::*:my-bucket/*"
]
}]
}
- s3cmd -c s3test.cfg setpolicy getputcors s3://my-bucket
Boto script with the user credentials of testy$u2:
b = conn.get_bucket("testx:my-bucket")
cors_conf = """
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
"""
b.set_cors_xml(cors_conf)
print b.get_cors()
Updated by Adam Emerson over 6 years ago
- Status changed from 12 to Fix Under Review
Have a fix in https://github.com/ceph/ceph/pull/18000
Updated by Adam Emerson over 6 years ago
- Status changed from Fix Under Review to 17
Updated by Matt Benjamin over 6 years ago
- Status changed from 17 to Pending Backport
Updated by Nathan Cutler over 6 years ago
- Copied to Backport #21635: luminous: s3:GetBucketCORS/s3:PutBucketCORS policy fails with 403 added
Updated by Adam Emerson over 6 years ago
- Status changed from Pending Backport to Resolved