Project

General

Profile

Actions
Copy link

Bug #21582

closed

s3:GetBucketLocation bucket policy fails with 403

Added by Adam Emerson over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Adam Emerson
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
Backport:
luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

After setting the policy, get_location() on the bucket fails to work.

Version-Release number of selected component (if applicable):
ceph-radosgw-12.2.0-2.el7cp.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a bucket with tenant user testx$tester
2. Write a bucket policy providing s3:GetBucketLocation to another user in the same or different tenant
3. After setting the policy, try doing a get_location() on the bucket with the permitted user credentials.

Actual results:
S3ResponseError: 403 Forbidden

Additional info: {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::testy:user/u2"]},
"Action": ["s3:ListBucket", "s3:GetBucketLocation"],
"Resource": [
"arn:aws:s3::*:location-bucket",
"arn:aws:s3::*:location-bucket/*"
]
}]
}

b = conn.get_bucket("testx:location-bucket")
print b.get_location()

  1. python getlocation.py

Related issues 1 (0 open1 closed)

Copied to rgw - Backport #21634: luminous: s3:GetBucketLocation bucket policy fails with 403ResolvedAbhishek LekshmananActions
Actions
Copy link
 #2

Updated by Matt Benjamin over 6 years ago

  • Status changed from 7 to Pending Backport
Actions
Copy link
 #3

Updated by Nathan Cutler over 6 years ago

  • Copied to Backport #21634: luminous: s3:GetBucketLocation bucket policy fails with 403 added
Actions
Copy link
 #4

Updated by Adam Emerson over 6 years ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF