https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2020-06-05T23:23:17ZCeph rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1676242020-06-05T23:23:17ZMatt Benjaminmbenjamin@redhat.com
<ul><li><strong>Assignee</strong> set to <i>Pritha Srivastava</i></li></ul><p>Hi Pritha,</p>
<p>Could you review this?</p>
<p>thanks,</p>
<p>Matt</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1676952020-06-06T17:29:37ZPritha Srivastavaprsrivas@redhat.com
<ul></ul><p>Hi Chris,</p>
<p>In order to reproduce the issue that you have reported, I did the following using radosgw-admin:<br />1. Created user t1user under t1tenant<br />2, Created user TESTER in global namespace<br />3. Created user TESTER1 in global namespace<br />4. Assigned caps for roles to t1user</p>
<p>Using boto, I did the following:<br />1. Created t1user-my-bucket using credentials of user t1user<br />2. Created tester1-my-bucket using credentials of user TESTER1<br />3. Created a role S3Access using creds of t1user, which allows access to user TESTER and to bucket t1user-my-bucket, using the following trust policy and role policy<br />Trust Policy:<br />"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}" <br />Role Policy:<br />role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3::t1tenant:t1user-my-bucket\"}}" <br />4. Assume Role using credentials of user TESTER<br />5. Use temp creds returned in step 4, to list bucket tester1-my-bucket belonging to TESTER1 (which is in global namespace) - and I get back error 'NoSuchBucket'</p>
<p>I have tried this on the latest master and before I try this out on 15.2.2, can you please confirm if the repro steps are correct?</p>
<p>Thanks,<br />Pritha</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1677102020-06-08T04:32:34ZPritha Srivastavaprsrivas@redhat.com
<ul></ul><p>The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.</p>
<p>Looking into it now.</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1678312020-06-08T14:52:11ZChris Durham
<ul></ul><p>Pritha Srivastava wrote:</p>
<blockquote>
<p>The issue does reproduce on 15.2.2, and the bucket belonging to TESTER1 tester1-my-bucket, can be accessed using the temp creds.</p>
<p>Looking into it now.</p>
</blockquote>
<p>Thanks Pritha, looks like your steps work to reproduce on 15.2.2. Let me know if I can be of any further help.</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1679372020-06-10T04:23:14ZPritha Srivastavaprsrivas@redhat.com
<ul></ul><p>@Matt, @Casey: <a class="external" href="https://github.com/ceph/ceph/pull/34275">https://github.com/ceph/ceph/pull/34275</a> fixes this issue, should it be backported to Octopus, or should I fix this problem alone?</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1680392020-06-11T11:38:22ZMatt Benjaminmbenjamin@redhat.com
<ul></ul><p>Sounds like we should backport to at least Octopus.</p>
<p>Matt</p> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1680532020-06-11T14:12:16ZCasey Bodleycbodley@redhat.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pending Backport</i></li><li><strong>Tags</strong> set to <i>role policy</i></li><li><strong>Backport</strong> set to <i>octopus</i></li><li><strong>Pull request ID</strong> set to <i>34275</i></li></ul> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=1681932020-06-15T19:21:02ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-9 status-6 priority-4 priority-default closed" href="/issues/46006">Backport #46006</a>: octopus: role policies allow access to all buckets when using bucket arns with tenants</i> added</li></ul> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=2228722022-08-08T16:35:47ZBackport Bot
<ul><li><strong>Tags</strong> changed from <i>role policy</i> to <i>role policy backport_processed</i></li></ul> rgw - Bug #45912: role policies allow access to all buckets when using bucket arns with tenantshttps://tracker.ceph.com/issues/45912?journal_id=2330372023-03-14T03:22:47ZKonstantin Shalygink0ste@k0ste.ru
<ul><li><strong>Status</strong> changed from <i>Pending Backport</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul>