Actions
Bug #51325
closedUser has assume_role permission can access to any bucket
% Done:
100%
Source:
Tags:
backport_processed
Backport:
pacific,octopus,nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Hi all
I am using sts feature sts on ceph 14.2.21.
2 account sts-test1 and sts-test2.
First assign to sts-test1 roles capability :
radosgw-admin caps add --uid="sts-test1" --caps="roles=*
Then user sts-test1 use iam api to create role for user sts-test2
iam_client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=endpoint_url,
region_name=''
)
policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sts-test2\"]},\"Action\":[\"sts:AssumeRole\"]}}"
role_response = iam_client.create_role(
AssumeRolePolicyDocument=policy_document,
Path='/',
RoleName='S3AccessTest1',
)
Last , sts-test2 user sts api to get accesskey, secret key and token to put file
sts_client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=endpoint_url,
region_name='',
)
response = sts_client.assume_role(
RoleArn='arn:aws:iam:::role/S3AccessTest1',
Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}",
RoleSessionName='Bob',
DurationSeconds=3600
)
s3client = boto3.client('s3',
aws_access_key_id = response['Credentials']['AccessKeyId'],
aws_secret_access_key = response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken'],
endpoint_url=endpoint_url,
region_name='',)
bucket_name = 'test1'
body = 'testext'
body.encode(encoding='utf_8')
s3client.put_object(Body=body, Bucket=bucket_name, Key="test-1.txt")
Policy
Policy="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}"
When change test1 with any bucket of any user (bucket not owner by sts-test1), i can put get with all bucket.
I thinks this is a bug.
If not a bug how i can restrict bucket sts-test2 can put, get.
Thanks.
Actions