Project

General

Profile

Actions
Copy link

Bug #49780

closed

assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object

Added by Chris Durham about 3 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
role backport_processed
Backport:
pacific octopus nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v15.2.7
ceph-qa-suite:
Pull request ID:
40631
Crash signature (v1):
Crash signature (v2):

Description

I am using 15.2.7 on CentOS 8, and am using awscli

1. If I access a bucket with the bucket owner credentials, and hence full access, including s3:ListBucket, and execute a head-object on a non-existent object, I get 404 Not Found. This is expected
2. If I access a bucket as a user without any permissions to the bucket, but first assuming a role via (sts assume-role) that grants me s3:* on the bucket, which includes s3:ListBucket, I get 403 Forbidden. (If the object exists I get the header back).

On AWS, using the same role and policy, (adjusting for usernames and bucket names) if I do #2, I get 404 Not Found, which is what I expect, given that I have s3:ListBucket on that bucket

According to the AWS documentation at: https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html , If I have s3:ListBucket, which the role policy gives me, then I should get 404 Not found if I do head-object on a non-existent object.

Thus this appears to be a bug. I found the following bug from the past that seems similar but for the bucket owner and/or bucket attached policies: https://tracker.ceph.com/issues/38638

This is causing our software to not work on Ceph but fine on AWS.

I have attached a doctored sample policy that has s3:*, originally retrieved via aws s3api get-role-policy

Files

s3r.json (280 Bytes) s3r.json Chris Durham, 03/12/2021 09:19 PM

Related issues 3 (0 open3 closed)

Copied to rgw - Backport #50640: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent objectResolvedCory SnyderActions
Copied to rgw - Backport #50641: nautilus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent objectRejectedNathan CutlerActions
Copied to rgw - Backport #50642: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent objectResolvedCory SnyderActions
Actions
Copy link
 #1

Updated by Chris Durham about 3 years ago

Note: I also just tried (on Ceph),

aws s3 cp s3://bucket/non-existent-file.txt non-existent-file.txt

after assuming the role.

I get a 403 Forbidden, as apparently the 'cp' command does head-object first. As such, with s3:ListBucket implied by s3:*), I would expect a 404 Not Found.

Actions
Copy link
 #2

Updated by Casey Bodley about 3 years ago

  • Assignee set to Pritha Srivastava
  • Tags set to role
Actions
Copy link
 #3

Updated by Casey Bodley about 3 years ago

  • Status changed from New to Fix Under Review
  • Assignee deleted (Pritha Srivastava)
  • Backport set to pacific octopus nautilus
  • Pull request ID set to 40631
Actions
Copy link
 #4

Updated by Casey Bodley almost 3 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #5

Updated by Backport Bot almost 3 years ago

  • Copied to Backport #50640: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Actions
Copy link
 #6

Updated by Backport Bot almost 3 years ago

  • Copied to Backport #50641: nautilus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Actions
Copy link
 #7

Updated by Backport Bot almost 3 years ago

  • Copied to Backport #50642: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object added
Actions
Copy link
 #8

Updated by hoan nv almost 3 years ago

Hi all.

PR https://github.com/ceph/s3-tests/pull/389 has role-policy

role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Principal":"*","Resource":"arn:aws:s3:::*"}}'

I patched ceph 14.2.21 and tested role-policy :

role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::bucket-1","arn:aws:s3:::bucket-1/*"]}}'

It not working.

I changed role-policy to :

role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Principal":"*","Resource":["arn:aws:s3:::bucket-1","arn:aws:s3:::bucket-1/*"]}}'

It works.

Why "Principal":"*" must be include policy.

Thanks.

Actions
Copy link
 #9

Updated by Chris Durham over 2 years ago

I tested this on octopus 15.2.14. Without Principal: "*" in the role policy, I still get a 403 when trying to access an object that doesn't exist after assuminmg a role with the proper s3 permissions.

If I add Principal: "*", I get a 404, which is what I would expect for a non-existent object after assuming the role

On pacific, 16.2.5, I still get a 403 on a non-existent object whether Principal is in the role policy or not... I expect a 404.

On AWS I DO NOT have to add the Principal: "*" to get this to work!

Actions
Copy link
 #10

Updated by Chris Durham over 2 years ago

ok, i see from https://tracker.ceph.com/issues/50642 that this is scheduled for pacific 16.2.6. But the difference with AWS above remains. Thanks

Actions
Copy link
 #11

Updated by Backport Bot over 1 year ago

  • Tags changed from role to role backport_processed
Actions
Copy link
 #12

Updated by Konstantin Shalygin over 1 year ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF