Project

General

Profile

Bug #52302

assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS

Added by Chris Durham over 1 year ago. Updated 6 months ago.

Status:
Pending Backport
Priority:
Normal
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
sts role backport_processed
Backport:
octopus pacific
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The solution to an assumed role returning 404 instead of 403 for a non existent object, as detailed in https://tracker.ceph.com/issues/49780 , is inconsistent with the same issue in AWS.

I am using octopus 15.2.14 on CentOS 8

In https://tracker.ceph.com/issues/49780 the solution implies that the role policy requires a 'Principal' Key: (which does work in ceph):

However, in real AWS, the '"Principal": "*"' is not required to get a 404 for a non-existent object. Without the 'Principal' key in ceph, we still get a 403 on ceph for a non-existent object.

I understand that the Principal key may limit who in the role can access the buckets, but the fix should be consistent with the way AWS does it, with the Principal key (presumably) optional.

See comments on https://tracker.ceph.com/issues/49780 for details


Related issues

Copied to rgw - Backport #53647: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS New
Copied to rgw - Backport #53648: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS In Progress

History

#1 Updated by Matt Benjamin over 1 year ago

  • Status changed from New to Triaged
  • Assignee set to Pritha Srivastava

#2 Updated by Pritha Srivastava over 1 year ago

  • Pull request ID set to 42009

#3 Updated by Casey Bodley over 1 year ago

  • Status changed from Triaged to Fix Under Review
  • Tags set to sts role
  • Backport set to octopus pacific

#4 Updated by Loïc Dachary over 1 year ago

  • Target version deleted (v15.2.15)

#5 Updated by Casey Bodley about 1 year ago

  • Status changed from Fix Under Review to Pending Backport

#6 Updated by Backport Bot about 1 year ago

  • Copied to Backport #53647: octopus: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added

#7 Updated by Backport Bot about 1 year ago

  • Copied to Backport #53648: pacific: assumed-role: s3api head-object returns 403 Forbidden, even if role has ListBucket, for non-existent object, patch in https://tracker.ceph.com/issues/49780 inconsistent with AWS added

#8 Updated by Backport Bot 6 months ago

  • Tags changed from sts role to sts role backport_processed

Also available in: Atom PDF