Bug #52302
closedassumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS
100%
Description
The solution to an assumed role returning 404 instead of 403 for a non existent object, as detailed in https://tracker.ceph.com/issues/49780 , is inconsistent with the same issue in AWS.
I am using octopus 15.2.14 on CentOS 8
In https://tracker.ceph.com/issues/49780 the solution implies that the role policy requires a 'Principal' Key: (which does work in ceph):
However, in real AWS, the '"Principal": "*"' is not required to get a 404 for a non-existent object. Without the 'Principal' key in ceph, we still get a 403 on ceph for a non-existent object.
I understand that the Principal key may limit who in the role can access the buckets, but the fix should be consistent with the way AWS does it, with the Principal key (presumably) optional.
See comments on https://tracker.ceph.com/issues/49780 for details
Updated by Matt Benjamin over 2 years ago
- Status changed from New to Triaged
- Assignee set to Pritha Srivastava
Updated by Pritha Srivastava over 2 years ago
- Pull request ID set to 42009
Updated by Casey Bodley over 2 years ago
- Status changed from Triaged to Fix Under Review
- Tags set to sts role
- Backport set to octopus pacific
Updated by Casey Bodley over 2 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Backport Bot over 2 years ago
- Copied to Backport #53647: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added
Updated by Backport Bot over 2 years ago
- Copied to Backport #53648: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added
Updated by Backport Bot over 1 year ago
- Tags changed from sts role to sts role backport_processed
Updated by Konstantin Shalygin 5 months ago
- Status changed from Pending Backport to Resolved
- % Done changed from 0 to 100