Project

General

Profile

Bug #42786

User use doscli can not get、info or put objects in other buckets within ":" in those objects even the user have the permission.

Added by he huang about 1 year ago. Updated about 1 year ago.

Status:
Triaged
Priority:
Normal
Assignee:
Target version:
% Done:

0%

Source:
Community (dev)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature:

Description

Problem recurrence steps
[Test Details]
1. Create two users A and B
2. Set bucket policy of user A and grant full access to user B.
3. Upload an object with a ":" in the name to the bucket of user A, such as "AAA: BBB", and then use user B try to info and get the object.
4. Use user B to try to put a new object with ":" in the name into the bucket of user A.
[Expected Results]
1. Steps 3 and 4 are successful
[Actual Results]
1. Steps 3 and 4: error reported and rejected

The cause of the problem: S3 resource description statement is "arn: aws: S3::: bucket / object". When matching the bucket policy, we will first match the S3 resource description statement with regular expression "arn: ([^:] ): ([^:] *): ([^:] *): ([^:] *): (. *)" . Finally, when comparing the "bucket / object" with the actual value, we will match the style with ":", such as the style "" and the actual value "bucket01 / aa: aa / " If they are divided into "", "bucket01 / aa" and "aa", they will not match.

History

#1 Updated by Casey Bodley about 1 year ago

  • Status changed from New to Triaged
  • Assignee set to Adam Emerson

@Adam, does this look like a parsing bug?

Also available in: Atom PDF