Actions
Bug #43226
closedrgw: object version can be deleted without TOTP on bucket that has MFA Delete enabled.
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
It seems that an object version can be deleted without TOTP on bucket that has MFA Delete enabled.
- Environment: CentOS 7 + ceph octopus (master) installed through rpm packages built in shaman.
- TOTP generator: FreeOTP (Android).
[root@ceph-rpm ceph]# ceph -v
ceph version 15.0.0-8192-gb976dc5 (b976dc5aa33344fd4736a8ae3a4dce9d4351864d) octopus (dev)
[root@ceph-rpm ceph]# radosgw-admin mfa create --uid=dev --totp-serial=1 --totp-seed=23456723 --totp-seed-type=base32
[root@ceph-rpm ceph]# alias aws="aws --endpoint-url=http://localhost:8000"
[root@ceph-rpm ceph]# aws s3api create-bucket --bucket test
[root@ceph-rpm ceph]# aws s3api list-buckets
{
"Owner": {
"DisplayName": "Dev Admin",
"ID": "dev"
},
"Buckets": [
{
"CreationDate": "2019-12-10T11:49:53.781Z",
"Name": "test"
}
]
}
[root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test
[root@ceph-rpm ceph]#
[root@ceph-rpm ceph]# aws s3api put-bucket-versioning --bucket test --versioning-configuration '{"Status":"Enabled","MFADelete":"Enabled"}' --mfa '1 221402'
[root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test
{
"Status": "Enabled",
"MFADelete": "Enabled"
}
[root@ceph-rpm ceph]# aws s3api put-object --bucket test --key example --body CONTRIBUTING.rst
{
"VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x",
"ETag": "\"2551b46bd421838b7a5fca325f12818c\""
}
[root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example
{
"Name": "test",
"Versions": [
{
"LastModified": "2019-12-10T12:12:41.776Z",
"VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x",
"ETag": "\"2551b46bd421838b7a5fca325f12818c\"",
"StorageClass": "STANDARD",
"Key": "example",
"Owner": {
"DisplayName": "Dev Admin",
"ID": "dev"
},
"IsLatest": true,
"Size": 640
}
],
"MaxKeys": 1000,
"Prefix": "",
"KeyMarker": "example",
"IsTruncated": false,
"VersionIdMarker": ""
}
[root@ceph-rpm ceph]# aws s3api delete-object --bucket test --key example --version-id ZrRv3hX0CgbjNo9j4egnexvFTlPa--x
{
"VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x"
}
[root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example
{
"MaxKeys": 1000,
"Prefix": "",
"Name": "test",
"KeyMarker": "example",
"IsTruncated": false,
"VersionIdMarker": ""
}
Actions