Bug #45912
closedrole policies allow access to all buckets when using bucket arns with tenants
100%
Description
Using 15.2.2 on CentOS 8.1
If I specify a bucket ARN with a tenant name in a role policy, then, any user who assumes the role can access any bucket with the permissions that should be granted only for the single bucket in the policy.
1. create an aws/s3 user in tenant t1 with radosgw-admin, say t1$user1
2. Create an aws credentials file for the new user
3. Using this new credentials file, have boto3 create a bucket, testbucket in the new tenant t1
4. Pick or create a user, say user2, in the default tenant.
5. Create a role, say testrole with radosgw-admin or awscli iam create-role, giving it an AssumeRolePolicyDocument that has arn:aws:iam:::user/user2 as a user that can assume the role [yes, if you use aws iam create-role, user must have caps to create the role)
6. Add a policy to the role with radosgw-admin or awscli iam put-role-policy that includes access for the bucket created, using the arn for the bucket that includes the tenant, i.e:
\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3::t1:testbucket\"\}\]\}
7. Have user2 run aws sts assume-role --role-arn ... and set up the credentials returned in enviroment variables.
User2 can now access any bucket on the system, with permissions in Action key, with awscli (I used s3:ListBucket and s3:GetObject in Action and was able to read any object in any bucket). To access buckets in different tenant, I had to modify boto3 thusly: https://tracker.ceph.com/issues/45911 , but I could access buckets in the default tenant as well.
While I certainly may have erred in my policy somehow, this situation should not open up everything even if I did err, as my bucket ARN in the policy does not indicate all buckets regardless. I used the tenant name in place of the account-id in the ARN for the bucket.
Updated by Matt Benjamin almost 4 years ago
- Assignee set to Pritha Srivastava
Hi Pritha,
Could you review this?
thanks,
Matt
Updated by Pritha Srivastava almost 4 years ago
Hi Chris,
In order to reproduce the issue that you have reported, I did the following using radosgw-admin:
1. Created user t1user under t1tenant
2, Created user TESTER in global namespace
3. Created user TESTER1 in global namespace
4. Assigned caps for roles to t1user
Using boto, I did the following:
1. Created t1user-my-bucket using credentials of user t1user
2. Created tester1-my-bucket using credentials of user TESTER1
3. Created a role S3Access using creds of t1user, which allows access to user TESTER and to bucket t1user-my-bucket, using the following trust policy and role policy
Trust Policy:
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
Role Policy:
role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3::t1tenant:t1user-my-bucket\"}}"
4. Assume Role using credentials of user TESTER
5. Use temp creds returned in step 4, to list bucket tester1-my-bucket belonging to TESTER1 (which is in global namespace) - and I get back error 'NoSuchBucket'
I have tried this on the latest master and before I try this out on 15.2.2, can you please confirm if the repro steps are correct?
Thanks,
Pritha
Updated by Pritha Srivastava almost 4 years ago
The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.
Looking into it now.
Updated by Chris Durham almost 4 years ago
Pritha Srivastava wrote:
The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.
Looking into it now.
Thanks Pritha, looks like your steps work to reproduce on 15.2.2. Let me know if I can be of any further help.
Updated by Pritha Srivastava almost 4 years ago
@Matt Li, @Casey: https://github.com/ceph/ceph/pull/34275 fixes this issue, should it be backported to Octopus, or should I fix this problem alone?
Updated by Matt Benjamin almost 4 years ago
Sounds like we should backport to at least Octopus.
Matt
Updated by Casey Bodley almost 4 years ago
- Status changed from New to Pending Backport
- Tags set to role policy
- Backport set to octopus
- Pull request ID set to 34275
Updated by Nathan Cutler almost 4 years ago
- Copied to Backport #46006: octopus: role policies allow access to all buckets when using bucket arns with tenants added
Updated by Backport Bot over 1 year ago
- Tags changed from role policy to role policy backport_processed
Updated by Konstantin Shalygin about 1 year ago
- Status changed from Pending Backport to Resolved
- % Done changed from 0 to 100