Project

General

Profile

Bug #51325

User has assume_role permission can access to any bucket

Added by hoan nv over 1 year ago. Updated 6 months ago.

Status:
Pending Backport
Priority:
High
Target version:
-
% Done:

0%

Source:
Tags:
backport_processed
Backport:
pacific,octopus,nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Hi all

I am using sts feature sts on ceph 14.2.21.

2 account sts-test1 and sts-test2.

First assign to sts-test1 roles capability :

radosgw-admin caps add --uid="sts-test1" --caps="roles=*

Then user sts-test1 use iam api to create role for user sts-test2

iam_client = boto3.client('iam',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    endpoint_url=endpoint_url,
    region_name=''
)

policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sts-test2\"]},\"Action\":[\"sts:AssumeRole\"]}}" 

role_response = iam_client.create_role(
AssumeRolePolicyDocument=policy_document,
Path='/',
RoleName='S3AccessTest1',
)

Last , sts-test2 user sts api to get accesskey, secret key and token to put file


sts_client = boto3.client('sts',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    endpoint_url=endpoint_url,
    region_name='',
)

response = sts_client.assume_role(
RoleArn='arn:aws:iam:::role/S3AccessTest1',
Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}",
RoleSessionName='Bob',
DurationSeconds=3600
)

s3client = boto3.client('s3',
aws_access_key_id = response['Credentials']['AccessKeyId'],
aws_secret_access_key = response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken'],
endpoint_url=endpoint_url,
region_name='',)

bucket_name = 'test1'
body = 'testext'
body.encode(encoding='utf_8')
s3client.put_object(Body=body, Bucket=bucket_name, Key="test-1.txt")

Policy

Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" 

When change test1 with any bucket of any user (bucket not owner by sts-test1), i can put get with all bucket.

I thinks this is a bug.

If not a bug how i can restrict bucket sts-test2 can put, get.

Thanks.


Related issues

Copied to rgw - Backport #51471: pacific: User has assume_role permission can access to any bucket Resolved
Copied to rgw - Backport #51472: nautilus: User has assume_role permission can access to any bucket Rejected
Copied to rgw - Backport #51473: octopus: User has assume_role permission can access to any bucket New

History

#1 Updated by Casey Bodley over 1 year ago

  • Priority changed from Normal to High

#2 Updated by Pritha Srivastava over 1 year ago

  • Assignee set to Pritha Srivastava
  • Pull request ID set to 41585

I had fixed this on master, I will check the specific scenario and update the bug.

#3 Updated by hoan nv over 1 year ago

this bug can be backported to nautilus ?.

I see 14.2.22 is lastest versions.

#4 Updated by Pritha Srivastava over 1 year ago

Sure, I'll verify this on master and set the backports

#5 Updated by Pritha Srivastava over 1 year ago

  • Backport set to pacific,octopus,nautilus

I have verified the session policy changes on master and they work as expected. And I have set the backports to pacific, octopus and nautilus

#6 Updated by Casey Bodley over 1 year ago

  • Status changed from New to Pending Backport

#7 Updated by Backport Bot over 1 year ago

  • Copied to Backport #51471: pacific: User has assume_role permission can access to any bucket added

#8 Updated by Backport Bot over 1 year ago

  • Copied to Backport #51472: nautilus: User has assume_role permission can access to any bucket added

#9 Updated by Backport Bot over 1 year ago

  • Copied to Backport #51473: octopus: User has assume_role permission can access to any bucket added

#10 Updated by hoan nv over 1 year ago

Backport to nautilus will be merge ?

I think 3 months is too long for this issue.

#11 Updated by Backport Bot 6 months ago

  • Tags set to backport_processed

Also available in: Atom PDF