Project

General

Profile

Actions
Copy link

Bug #52302

closed

assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS

Added by Chris Durham over 2 years ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Pritha Srivastava
Target version:
-
% Done:

100%

Source:
Community (user)
Tags:
sts role backport_processed
Backport:
octopus pacific
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v15.2.14
ceph-qa-suite:
Pull request ID:
42009
Crash signature (v1):
Crash signature (v2):

Description

The solution to an assumed role returning 404 instead of 403 for a non existent object, as detailed in https://tracker.ceph.com/issues/49780 , is inconsistent with the same issue in AWS.

I am using octopus 15.2.14 on CentOS 8

In https://tracker.ceph.com/issues/49780 the solution implies that the role policy requires a 'Principal' Key: (which does work in ceph):

However, in real AWS, the '"Principal": "*"' is not required to get a 404 for a non-existent object. Without the 'Principal' key in ceph, we still get a 403 on ceph for a non-existent object.

I understand that the Principal key may limit who in the role can access the buckets, but the fix should be consistent with the way AWS does it, with the Principal key (presumably) optional.

See comments on https://tracker.ceph.com/issues/49780 for details

Related issues 2 (0 open2 closed)

Copied to rgw - Backport #53647: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWSRejectedActions
Copied to rgw - Backport #53648: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWSResolvedPritha SrivastavaActions
Actions
Copy link
 #1

Updated by Matt Benjamin over 2 years ago

  • Status changed from New to Triaged
  • Assignee set to Pritha Srivastava
Actions
Copy link
 #2

Updated by Pritha Srivastava over 2 years ago

  • Pull request ID set to 42009
Actions
Copy link
 #3

Updated by Casey Bodley over 2 years ago

  • Status changed from Triaged to Fix Under Review
  • Tags set to sts role
  • Backport set to octopus pacific
Actions
Copy link
 #4

Updated by Loïc Dachary over 2 years ago

  • Target version deleted (v15.2.15)
Actions
Copy link
 #5

Updated by Casey Bodley over 2 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #6

Updated by Backport Bot over 2 years ago

  • Copied to Backport #53647: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added
Actions
Copy link
 #7

Updated by Backport Bot over 2 years ago

  • Copied to Backport #53648: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added
Actions
Copy link
 #8

Updated by Backport Bot over 1 year ago

  • Tags changed from sts role to sts role backport_processed
Actions
Copy link
 #9

Updated by Konstantin Shalygin 5 months ago

  • Status changed from Pending Backport to Resolved
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF