Bug #51325
closedUser has assume_role permission can access to any bucket
100%
Description
Hi all
I am using sts feature sts on ceph 14.2.21.
2 account sts-test1 and sts-test2.
First assign to sts-test1 roles capability :
radosgw-admin caps add --uid="sts-test1" --caps="roles=*
Then user sts-test1 use iam api to create role for user sts-test2
iam_client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=endpoint_url,
region_name=''
)
policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sts-test2\"]},\"Action\":[\"sts:AssumeRole\"]}}"
role_response = iam_client.create_role(
AssumeRolePolicyDocument=policy_document,
Path='/',
RoleName='S3AccessTest1',
)
Last , sts-test2 user sts api to get accesskey, secret key and token to put file
sts_client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=endpoint_url,
region_name='',
)
response = sts_client.assume_role(
RoleArn='arn:aws:iam:::role/S3AccessTest1',
Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}",
RoleSessionName='Bob',
DurationSeconds=3600
)
s3client = boto3.client('s3',
aws_access_key_id = response['Credentials']['AccessKeyId'],
aws_secret_access_key = response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken'],
endpoint_url=endpoint_url,
region_name='',)
bucket_name = 'test1'
body = 'testext'
body.encode(encoding='utf_8')
s3client.put_object(Body=body, Bucket=bucket_name, Key="test-1.txt")
Policy
Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}"
When change test1 with any bucket of any user (bucket not owner by sts-test1), i can put get with all bucket.
I thinks this is a bug.
If not a bug how i can restrict bucket sts-test2 can put, get.
Thanks.
Updated by Pritha Srivastava almost 3 years ago
- Assignee set to Pritha Srivastava
- Pull request ID set to 41585
I had fixed this on master, I will check the specific scenario and update the bug.
Updated by hoan nv almost 3 years ago
this bug can be backported to nautilus ?.
I see 14.2.22 is lastest versions.
Updated by Pritha Srivastava almost 3 years ago
Sure, I'll verify this on master and set the backports
Updated by Pritha Srivastava almost 3 years ago
- Backport set to pacific,octopus,nautilus
I have verified the session policy changes on master and they work as expected. And I have set the backports to pacific, octopus and nautilus
Updated by Casey Bodley almost 3 years ago
- Status changed from New to Pending Backport
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51471: pacific: User has assume_role permission can access to any bucket added
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51472: nautilus: User has assume_role permission can access to any bucket added
Updated by Backport Bot almost 3 years ago
- Copied to Backport #51473: octopus: User has assume_role permission can access to any bucket added
Updated by hoan nv over 2 years ago
Backport to nautilus will be merge ?
I think 3 months is too long for this issue.
Updated by Konstantin Shalygin about 1 year ago
- Status changed from Pending Backport to Resolved
- % Done changed from 0 to 100