Bug #45912
closedrole policies allow access to all buckets when using bucket arns with tenants
100%
Description
Using 15.2.2 on CentOS 8.1
If I specify a bucket ARN with a tenant name in a role policy, then, any user who assumes the role can access any bucket with the permissions that should be granted only for the single bucket in the policy.
1. create an aws/s3 user in tenant t1 with radosgw-admin, say t1$user1
2. Create an aws credentials file for the new user
3. Using this new credentials file, have boto3 create a bucket, testbucket in the new tenant t1
4. Pick or create a user, say user2, in the default tenant.
5. Create a role, say testrole with radosgw-admin or awscli iam create-role, giving it an AssumeRolePolicyDocument that has arn:aws:iam:::user/user2 as a user that can assume the role [yes, if you use aws iam create-role, user must have caps to create the role)
6. Add a policy to the role with radosgw-admin or awscli iam put-role-policy that includes access for the bucket created, using the arn for the bucket that includes the tenant, i.e:
\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3::t1:testbucket\"\}\]\}
7. Have user2 run aws sts assume-role --role-arn ... and set up the credentials returned in enviroment variables.
User2 can now access any bucket on the system, with permissions in Action key, with awscli (I used s3:ListBucket and s3:GetObject in Action and was able to read any object in any bucket). To access buckets in different tenant, I had to modify boto3 thusly: https://tracker.ceph.com/issues/45911 , but I could access buckets in the default tenant as well.
While I certainly may have erred in my policy somehow, this situation should not open up everything even if I did err, as my bucket ARN in the policy does not indicate all buckets regardless. I used the tenant name in place of the account-id in the ARN for the bucket.