Project

General

Profile

Actions
Copy link

Bug #38638

closed

S3 policy evaluated incorrectly

Added by Davide Dal Bianco about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Pritha Srivastava
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
luminous mimic nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
27309
Crash signature (v1):
Crash signature (v2):

Description

Hi,

I noticed a bug when accessing Ceph via Hadoop. I am using some shared buckets with read/write access for all users. Here is the policy for the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAll",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<bucket>/*",
                "arn:aws:s3:::<bucket>" 
            ]
        }
    ]
}

However, if a user different from the owner (or even an anonymous user) does a GetObject/HeadObject on a non existing object, Radosgw returns status code 403 which makes the Hadoop write fail.

From the official S3 documentation:

If a requested object doesn't exist in the bucket and the requester doesn't have s3:ListBucket access, then the requester receives an HTTP 403 (Access Denied) error rather than the HTTP 404 (Not Found) error.

I tried in AWS and a bucket with the same policy returns 404, which should be the correct behaviour since ListBucket is allowed.

Related issues 3 (0 open3 closed)

Copied to rgw - Backport #39272: luminous: rgw: S3 policy evaluated incorrectlyResolvedActions
Copied to rgw - Backport #39273: nautilus: S3 policy evaluated incorrectlyResolvedPrashant DActions
Copied to rgw - Backport #39274: mimic: S3 policy evaluated incorrectlyResolvedNathan CutlerActions
Actions
Copy link

Also available in: Atom PDF