Project

General

Profile

Bug #37403

Object can still be deleted even if s3:DeleteObject policy is set

Added by Enming Zhang 9 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
11/27/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
mimic, luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

For example, the testing bucket name is '111', the bucket owner is em_test1

[root@localhost ~]# s3cmd info s3://111
s3://111/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {"Version": "2012-10-17", "Statement": [{"Action": ["s3:PutObject", "s3:DeleteObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test1"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Deny", "Sid": "worm1"}, {"Action": ["s3:GetObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test2"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Allow", "Sid": "worm2"}]}
CORS: none
ACL: em_test1: FULL_CONTROL

We can see that there is a related bucket policy configuration set to bucket 111 which defines that the bucket owner em_test1 can not overwrite (by PutObject) and delete (by DeleteObject) the InterLeave object in the bucket 111.

root@localhost ~]# s3cmd put InterLeave s3://111
upload: 'InterLeave' -> 's3://111/InterLeave' [1 of 1]
37072 of 37072 100% in 0s 3.75 MB/s done
ERROR: S3 error: 403 (AccessDenied)

[root@localhost ~]# s3cmd del s3://111/InterLeave
delete: 's3://111/InterLeave'

Then we really can not overwrite the InterLeave object in bucket 111, but we can still delete it.


Related issues

Copied to rgw - Backport #38192: mimic: Object can still be deleted even if s3:DeleteObject policy is set Resolved
Copied to rgw - Backport #38193: luminous: Object can still be deleted even if s3:DeleteObject policy is set Resolved

History

#2 Updated by Brad Hubbard 9 months ago

  • Project changed from Ceph to rgw

#3 Updated by Abhishek Lekshmanan 9 months ago

  • Status changed from New to Need Test

#4 Updated by Ken Dreyer 7 months ago

  • Status changed from Need Test to Pending Backport
  • Backport set to mimic, luminous

#5 Updated by Nathan Cutler 7 months ago

  • Copied to Backport #38192: mimic: Object can still be deleted even if s3:DeleteObject policy is set added

#6 Updated by Nathan Cutler 7 months ago

  • Copied to Backport #38193: luminous: Object can still be deleted even if s3:DeleteObject policy is set added

#7 Updated by Nathan Cutler 6 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF