Actions
Bug #52455
closedradosgw-admin user modify, user suspend and user enable cause user-policy of said user to be lost
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Running any of the user-modifying commands of radosgw-admin against a local radosgw user causes the user-policy of said user to be cleared.
Each of the following commands clears the user-policy, regardless of what the status of the user was and whether anything was actually asked to be changed.
radosgw-admin user modify --uid='tenant$user'
radosgw-admin user suspend --uid='tenant$user'
radosgw-admin user enable --uid='tenant$user'
Tested by setting a user policy over boto3 as an admin user:
iam.put_user_policy(
UserName="tenant$user",
PolicyName="STSPolicy",
PolicyDocument="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}"
)
And checking for the policy:
iam.get_user_policy(UserName='tenant$user', PolicyName='STSPolicy')
and running any of the aforementioned commands in between checks.
After the commands, a user-policy can be put back again and it will work.
Discovered on v16.2.5 when I re-enabled a previously suspended user and getSessionToken() did not start working again for that user. Root cause so far unknown, not tested on other versions.
Actions