Project

General

Profile

Actions
Copy link

Bug #48472

open

rgw crash when get none exist role policy

Added by joke lee over 3 years ago. Updated over 3 years ago.

Status:
Need More Info
Priority:
Normal
Assignee:
Pritha Srivastava
Target version:
-
% Done:

0%

Source:
Tags:
sts
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

rgw will crash when get put delete pocliy to a none exist role
import boto3, json
import botocore
botocore.session.Session().set_debug_logger()
access_key = 'admin'
secret_key = 'admin' #
configuration = boto3.session.Config(connect_timeout=3000000, read_timeout=3000000, retries={'max_attempts': 0}) #
iam_client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://127.0.0.1:7401',
region_name='',
use_ssl = False,
config = configuration,
)

  1. iam_client.put_role_policy(
  2. RoleName='none_exist_role',
  3. PolicyName='abc',
  4. PolicyDocument=json.dumps(policy, separators=(',', ':')).strip()
  5. )
  1. iam_client.delete_role_policy(
  2. RoleName='none_exist_role',
  3. PolicyName='abc'
  4. )

iam_client.get_role_policy(
RoleName='none_exist_role',
PolicyName='abc',
)

Actions
Copy link
 #1

Updated by Casey Bodley over 3 years ago

  • Assignee set to Pritha Srivastava
  • Tags set to sts
Actions
Copy link
 #2

Updated by Pritha Srivastava over 3 years ago

Hi @joke lee,

I tried the following:

radosgw-admin user create --tenant t1tenant --uid t1user --display-name t1user --access_key t1user --secret t1userpass

radosgw-admin caps add --tenant='t1tenant' --uid='t1user' --caps="roles=*" (tried with and without this step)

And my script is as follows:

logging.basicConfig(filename="boto.log", level=logging.DEBUG)

from botocore.handlers import validate_bucket_name

assume_role = True
get_session_token = False

access_key = 't1user'
secret_key = 't1userpass'

iam_client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://s3.us-east.localhost:8000',
region_name=''
)

role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"
response = iam_client.put_role_policy(
RoleName='non_exist_role',
PolicyName='Policy1',
PolicyDocument=role_policy
)

response = iam_client.delete_role_policy(
RoleName="non_exist_role",
PolicyName="Policy1")

print response

response = iam_client.get_role_policy(
RoleName="non_exist_role",
PolicyName="Policy1")

But I do not see a crash, I see an error (which is expected) from PutRolePolicy: 2020-12-11T10:53:31.924+0530 7f120d1ce700 0 ERROR: failed reading role name from pool: default.rgw.meta: non_exist_role: (2) No such file or directory

Can you provide more specific steps to reproduce the crash and also the version on which you tried these steps.

Actions
Copy link
 #3

Updated by Casey Bodley over 3 years ago

  • Status changed from New to Need More Info
Actions
Copy link
 #4

Updated by joke lee over 3 years ago

when use user created will --system, and use the user to put_role_policy on none exist role will cause crash

Actions
Copy link

Also available in: Atom PDF