Project

General

Profile

Actions
Copy link

Bug #48761

closed

rgw: fix user.rgw.user-policy attr remove by assume_role or modify user info

Added by joke lee over 3 years ago. Updated 6 months ago.

Status:
Duplicate
Priority:
High
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
pacific quincy reef
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
38779
Crash signature (v1):
Crash signature (v2):

Description

when put user policy on user yly by the follow boto3 script

import boto3
import botocore
botocore.session.Session().set_debug_logger()
access_key = 'admin'
secret_key = 'admin'
config_dict = { 'signature_version' : 's3', 'connect_timeout': 30000, 'read_timeout': 30000}
configuration = boto3.session.Config(**config_dict)

client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://127.0.0.1:8000',
region_name='',
use_ssl = False,
config = configuration,
)

policy = '''{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:GetSessionToken",
"Resource": "*"
}]
}'''

response = client.put_user_policy(
UserName='yly',
PolicyName='yly-sts',
PolicyDocument= policy
)

./bin/rados -p default.rgw.meta listxattr yly --namespace users.uid -c ceph.conf
ceph.objclass.version
user.rgw.user-policy <= we have new attr here

but when we modify user info by

./bin/radosgw-admin user modify --uid=yly --max-buckets=200 -c ceph.conf

the user.rgw.user-policy attr will be removed

and if we assume_role, the user.rgw.user-policy attr will be remove too

./bin/radosgw-admin role create --role-name role1 --path / --assume-role-policy-doc \{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/yly\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

./bin/radosgw-admin role-policy put --role-name=role1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::test1\"\}\]\}

import boto3
import botocore
botocore.session.Session().set_debug_logger()
access_key = 'yly'
secret_key = 'yly'
config_dict = { 'signature_version' : 's3', 'connect_timeout': 30000, 'read_timeout': 30000}
configuration = boto3.session.Config(**config_dict)

client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://127.0.0.1',
region_name='',
use_ssl = False,
config = configuration,
)

response = client.assume_role(
RoleArn='arn:aws:iam:::role/role1',
RoleSessionName='my-session-1',
DurationSeconds=3600,
)

after call assume_role, the user.rgw.user-policy will be remove and user can not call get_session_token which we defined in put_user_policy

Related issues 1 (1 open0 closed)

Is duplicate of rgw - Bug #63134: rgw: fix user.rgw.user-policy attr remove by modify user infoPending Backport

Actions
Actions
Copy link
 #1

Updated by Pritha Srivastava over 3 years ago

  • Pull request ID set to 38779
Actions
Copy link
 #2

Updated by Casey Bodley about 1 year ago

  • Priority changed from Normal to High
Actions
Copy link
 #3

Updated by Casey Bodley 12 months ago

  • Status changed from New to Fix Under Review
  • Backport set to pacific quincy reef
Actions
Copy link
 #4

Updated by Casey Bodley 6 months ago

  • Is duplicate of Bug #63134: rgw: fix user.rgw.user-policy attr remove by modify user info added
Actions
Copy link
 #5

Updated by Casey Bodley 6 months ago

  • Status changed from Fix Under Review to Duplicate
Actions
Copy link

Also available in: Atom PDF