Project

General

Profile

Bug #47871

radosgw does not properly handle a roleArn when executing assume-role operation

Added by Chris Durham 9 days ago. Updated 1 day ago.

Status:
In Progress
Priority:
Normal
Target version:
% Done:

0%

Source:
Community (user)
Tags:
roles
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Using 15.2.4 on centos8.1

1. I have a role defined with a path, such that the roleArn is arn:aws:iam:::/role/p1/p2/role1, with a user defined in the AssumeRleolicyDocument
2. using awscli as the user in question, with the valid s3 credentials for the user available, I can assume the role with:

$ aws sts assume-role --role-arn arn:aws:iam:::/role/p1/p2/role1 --role-session-name mysess

This works, and I get back a json document that has the temporary credentials. That's good.

However, when I give an invalid arn, (but with '/role1' at the end of the Arn) I still get back a json document with temporary credentials, and they work! i.e:

$ aws sts assume-role --role-arn arn:aws:iam:::/role/p5/role1 --role-session-name mysess
$ aws sts assume-role --role-arn arn:aws:iam:::/role/p3/p4/role1 --role-session-name mysess
$ aws sts assume-role --role-arn arn:aws:iam:::/role/role1 --role-session-name mysess

These all work, but they should fail. It appears that radosgw is not handling or parsing the Arn properly. The command should fail for all but the proper Arn. On AWS itself, I get AccessDenied when not using the proper Arn. Not sure how this might affect multiple roles with multiple paths and/or similar role names.

We eyeballed a typo for a role Arn (which was actually working, but shouldn't) in something we are using, which led me to file this bugreport...

History

#1 Updated by Casey Bodley 2 days ago

  • Assignee set to Pritha Srivastava
  • Tags set to roles

#2 Updated by Pritha Srivastava 1 day ago

Hi Chris,

Are you saying that for role1, even with incorrect paths in the arn, sts assumerole works?

Thanks,
Pritha

#3 Updated by Chris Durham 1 day ago

Pritha Srivastava wrote:

Hi Chris,

Are you saying that for role1, even with incorrect paths in the arn, sts assumerole works?

Thanks,
Pritha

Pritha,

Yes, that is correct. An incorrect Arn appears to work, as long as it ends in '/role1'.

-Chris

#4 Updated by Pritha Srivastava 1 day ago

  • Status changed from New to In Progress
  • Pull request ID set to 37770

Also available in: Atom PDF