Project

General

Profile

Bug #38722

rgw: fix RGWDeleteMultiObj::verify_permission

Added by Irek Fasikhov about 5 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
% Done:

0%

Source:
Tags:
rgw
Backport:
luminous mimic nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

So.
Set Policy on bucket

{
    "Version": "2012-10-17",
    "Statement": [
            {
                    "Sid":"AddPerm",
                    "Effect": "Allow",
                    "Principal": {"AWS": [
                            "arn:aws:iam::dev:user/infas" 
                            ]},
                    "Action": [
                            "s3:Put*",
                            "s3:List*" 
                            ],
                    "Resource": [
                            "arn:aws:s3:::sb1/*",
                            "arn:aws:s3:::sb1" 
                    ]
            }
    ]
}

Put objects

kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd put winlogbeat-test -c ~/.s3cfg1 s3://sb1/
upload: 'winlogbeat-test' -> 's3://sb1/winlogbeat-test'  [1 of 1]
 14778761 of 14778761   100% in    0s    16.60 MB/s  done
kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd put winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22\ 03\:01\:05.933494181\ +0300\ MSK\ m\=+6.245462125 -c ~/.s3cfg1 s3://sb1/
upload: 'winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125' -> 's3://sb1/winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125'  [1 of 1]
 1165202 of 1165202   100% in    0s     8.72 MB/s  done

List Bucket

kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd -c ~/.s3cfg1 ls -l s3://sb1/
2019-03-13 13:58   1165202   3f244bc9e225c4fab09ac5d9f8506126  STANDARD  s3://sb1/winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125
2019-03-13 13:57  14778761   a3200c53eae46e7c8f0dd7f95add5b81  STANDARD  s3://sb1/winlogbeat-test

Trying to delete objects...Wow

kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd -c ~/.s3cfg1 rm -rf s3://sb1/
delete: 's3://sb1/winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125'
delete: 's3://sb1/winlogbeat-test'
kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd -c ~/.s3cfg1 rm -rf s3://sb1/
delete: 's3://sb1/winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125'
delete: 's3://sb1/winlogbeat-test'
kataklysm@infas:~/tmp> ~/bin/s3cmd-2.0.2/s3cmd -c ~/.s3cfg1 rm -rf s3://sb1/
delete: 's3://sb1/winlogbeat-6.4.2-2018.11.21_20790.json.gzip_2018-11-22 03:01:05.933494181 +0300 MSK m=+6.245462125'
delete: 's3://sb1/winlogbeat-test'

In fact, the user does not have access rights. You must receive a response 403


Related issues

Copied to rgw - Backport #38978: luminous: rgw: fix RGWDeleteMultiObj::verify_permission Rejected
Copied to rgw - Backport #38979: mimic: rgw: fix RGWDeleteMultiObj::verify_permission Rejected
Copied to rgw - Backport #38980: nautilus: rgw: fix RGWDeleteMultiObj::verify_permission Resolved

History

#3 Updated by Nathan Cutler about 5 years ago

  • Backport set to mimic
  • Pull request ID changed from 26928 to 26947

#4 Updated by Nathan Cutler about 5 years ago

  • Status changed from New to Fix Under Review

#5 Updated by Casey Bodley about 5 years ago

  • Status changed from Fix Under Review to 7

#6 Updated by Casey Bodley about 5 years ago

  • Status changed from 7 to Pending Backport
  • Backport changed from mimic to luminous mimic nautilus

#7 Updated by Nathan Cutler about 5 years ago

  • Copied to Backport #38978: luminous: rgw: fix RGWDeleteMultiObj::verify_permission added

#8 Updated by Nathan Cutler about 5 years ago

  • Copied to Backport #38979: mimic: rgw: fix RGWDeleteMultiObj::verify_permission added

#9 Updated by Nathan Cutler about 5 years ago

  • Copied to Backport #38980: nautilus: rgw: fix RGWDeleteMultiObj::verify_permission added

#10 Updated by Nathan Cutler about 3 years ago

  • Status changed from Pending Backport to Resolved

While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".

Also available in: Atom PDF