Ceph » rgw

Chris Durham wrote:

if I have an invalid principal in a bucket policy, access is granted to all users according to the action specified.

1. have a radosgw user create a bucket, in this case foobucket

2. Using the attached bucket policy, apply it with aws s3api put-bucket-policy --bucket foobucket --policy file://foobucket.json

3. after being applied, any user can access the bucket with the level of 'Action' specified in the policy.

Note, the arn for the user in the policy is incorrect. It should be:

"arn:aws:iam:::user/username"
not:
"aws:iam:::username"

A bad policy entry should NOT allow access to everybody (fail closed as opposed to fail open)

This may be related to https://tracker.ceph.com/issues/45912

I've reproduced this on 15.2.2 and 15.2.3 on CentOS 8

On second thought, probably NOT related to https://tracker.ceph.com/issues/45912 This bug deals with user ARNs and the other bug relates to bucket ARNs, so probably not the same parsing code....just a thought

I tried the following steps on both master and 15.2.2, but failed to reproduce the error:
1. Create 3 users

2. Create a bucket bucket1 using credentials of user1

3. Attach policy to bucket bucket1, to allow access to user2 using incorrect ARN format ("Principal": {"AWS": "aws:iam:::TESTER"},)

4. Access bucket using credentials of user3 (Action is set to s3:* in the bucket policy)

Step 4 gives an AccessDenied error.

@Chris: Are the repro steps correct?

Pritha Srivastava wrote:

I tried the following steps on both master and 15.2.2, but failed to reproduce the error:
1. Create 3 users

2. Create a bucket bucket1 using credentials of user1

3. Attach policy to bucket bucket1, to allow access to user2 using incorrect ARN format ("Principal": {"AWS": "aws:iam:::TESTER"},)

4. Access bucket using credentials of user3 (Action is set to s3:* in the bucket policy)

Step 4 gives an AccessDenied error.

@Chris: Are the repro steps correct?

@Pritha: Your steps seem correct, so I tried again, and was able to easily reproduce. However, I discovered something new. If I have:

{ "Principal": {"AWS": ["arn:aws:iam:::user"]} it reproduces fine, all users have access, as this arn is invalid (no 'user/')

If I have:

{ "Principal": {"AWS": ["arn:aws:iam:::user"], ["arn:aws:iam:::user/username"]}}

The second in this list being a properly constructed ARN, the problem does NOT occur and only arn:aws:iam:::user/username has access.

If this does not help, I'll generate up some debug rgw = 20 logs for you

I discovered this quite by accident when I tried to give access to just one user (but put in an invalid ARN) and the next day discovered that all my users had access, after which I tracked it to the invalid ARN.

Chris Durham wrote:

Pritha Srivastava wrote:

I tried the following steps on both master and 15.2.2, but failed to reproduce the error:
1. Create 3 users

2. Create a bucket bucket1 using credentials of user1

3. Attach policy to bucket bucket1, to allow access to user2 using incorrect ARN format ("Principal": {"AWS": "aws:iam:::TESTER"},)

4. Access bucket using credentials of user3 (Action is set to s3:* in the bucket policy)

Step 4 gives an AccessDenied error.

@Chris: Are the repro steps correct?

@Pritha: Your steps seem correct, so I tried again, and was able to easily reproduce. However, I discovered something new. If I have:

{ "Principal": {"AWS": ["arn:aws:iam:::user"]} it reproduces fine, all users have access, as this arn is invalid (no 'user/')

If I have:

{ "Principal": {"AWS": ["arn:aws:iam:::user"], ["arn:aws:iam:::user/username"]}}

The second in this list being a properly constructed ARN, the problem does NOT occur and only arn:aws:iam:::user/username has access.

If this does not help, I'll generate up some debug rgw = 20 logs for you

I discovered this quite by accident when I tried to give access to just one user (but put in an invalid ARN) and the next day discovered that all my users had access, after which I tracked it to the invalid ARN.

Note, the entry should be:

{ "Principal": {"AWS": ["arn:aws:iam:::user", "arn:aws:iam:::user/username"]}}

a single list