Bug #46078
closedinvalid principal arn in bucket policy grants access to all
0%
Description
if I have an invalid principal in a bucket policy, access is granted to all users according to the action specified.
1. have a radosgw user create a bucket, in this case foobucket
2. Using the attached bucket policy, apply it with aws s3api put-bucket-policy --bucket foobucket --policy file://foobucket.json
3. after being applied, any user can access the bucket with the level of 'Action' specified in the policy.
Note, the arn for the user in the policy is incorrect. It should be:
"arn:aws:iam:::user/username"
not:
"aws:iam:::username"
A bad policy entry should NOT allow access to everybody (fail closed as opposed to fail open)
This may be related to https://tracker.ceph.com/issues/45912
I've reproduced this on 15.2.2 and 15.2.3 on CentOS 8
Files