Project

General

Profile

Bug #45912

role policies allow access to all buckets when using bucket arns with tenants

Added by Chris Durham 6 months ago. Updated 6 months ago.

Status:
Pending Backport
Priority:
Normal
Target version:
% Done:

0%

Source:
Tags:
role policy
Backport:
octopus
Regression:
No
Severity:
1 - critical
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Using 15.2.2 on CentOS 8.1

If I specify a bucket ARN with a tenant name in a role policy, then, any user who assumes the role can access any bucket with the permissions that should be granted only for the single bucket in the policy.

1. create an aws/s3 user in tenant t1 with radosgw-admin, say t1$user1
2. Create an aws credentials file for the new user
3. Using this new credentials file, have boto3 create a bucket, testbucket in the new tenant t1
4. Pick or create a user, say user2, in the default tenant.
5. Create a role, say testrole with radosgw-admin or awscli iam create-role, giving it an AssumeRolePolicyDocument that has arn:aws:iam:::user/user2 as a user that can assume the role [yes, if you use aws iam create-role, user must have caps to create the role)
6. Add a policy to the role with radosgw-admin or awscli iam put-role-policy that includes access for the bucket created, using the arn for the bucket that includes the tenant, i.e:

\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3::t1:testbucket\"\}\]\}

7. Have user2 run aws sts assume-role --role-arn ... and set up the credentials returned in enviroment variables.

User2 can now access any bucket on the system, with permissions in Action key, with awscli (I used s3:ListBucket and s3:GetObject in Action and was able to read any object in any bucket). To access buckets in different tenant, I had to modify boto3 thusly: https://tracker.ceph.com/issues/45911 , but I could access buckets in the default tenant as well.

While I certainly may have erred in my policy somehow, this situation should not open up everything even if I did err, as my bucket ARN in the policy does not indicate all buckets regardless. I used the tenant name in place of the account-id in the ARN for the bucket.


Related issues

Copied to rgw - Backport #46006: octopus: role policies allow access to all buckets when using bucket arns with tenants Need More Info

History

#1 Updated by Matt Benjamin 6 months ago

  • Assignee set to Pritha Srivastava

Hi Pritha,

Could you review this?

thanks,

Matt

#2 Updated by Pritha Srivastava 6 months ago

Hi Chris,

In order to reproduce the issue that you have reported, I did the following using radosgw-admin:
1. Created user t1user under t1tenant
2, Created user TESTER in global namespace
3. Created user TESTER1 in global namespace
4. Assigned caps for roles to t1user

Using boto, I did the following:
1. Created t1user-my-bucket using credentials of user t1user
2. Created tester1-my-bucket using credentials of user TESTER1
3. Created a role S3Access using creds of t1user, which allows access to user TESTER and to bucket t1user-my-bucket, using the following trust policy and role policy
Trust Policy:
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
Role Policy:
role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3::t1tenant:t1user-my-bucket\"}}"
4. Assume Role using credentials of user TESTER
5. Use temp creds returned in step 4, to list bucket tester1-my-bucket belonging to TESTER1 (which is in global namespace) - and I get back error 'NoSuchBucket'

I have tried this on the latest master and before I try this out on 15.2.2, can you please confirm if the repro steps are correct?

Thanks,
Pritha

#3 Updated by Pritha Srivastava 6 months ago

The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.

Looking into it now.

#4 Updated by Chris Durham 6 months ago

Pritha Srivastava wrote:

The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.

Looking into it now.

Thanks Pritha, looks like your steps work to reproduce on 15.2.2. Let me know if I can be of any further help.

#5 Updated by Pritha Srivastava 6 months ago

@Matt, @Casey: https://github.com/ceph/ceph/pull/34275 fixes this issue, should it be backported to Octopus, or should I fix this problem alone?

#6 Updated by Matt Benjamin 6 months ago

Sounds like we should backport to at least Octopus.

Matt

#7 Updated by Casey Bodley 6 months ago

  • Status changed from New to Pending Backport
  • Tags set to role policy
  • Backport set to octopus
  • Pull request ID set to 34275

#8 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #46006: octopus: role policies allow access to all buckets when using bucket arns with tenants added

Also available in: Atom PDF