Bug #52706
closedWith policy specifying invalid arn, users can list content of any bucket
0%
Description
Hi
I have a role with permission policy like below
{
"Version":"2012-10-17","Statement":[
{
"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla"
}
]
}
or
{
"Version":"2012-10-17","Statement":[
{
"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket"
}
]
}
User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket
then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.
Updated by Daniel Iwan over 2 years ago
Invalid ARN also allows to execute list-objects operation in any bucket of the tenant without getting 403 error.
Updated by Matt Benjamin over 2 years ago
- Status changed from New to Fix Under Review
Updated by Matt Benjamin over 2 years ago
Per Pritha, https://github.com/ceph/ceph/pull/41931 fixes this issue. We need to expedite qa and merge.
Matt
Updated by Casey Bodley over 2 years ago
- Status changed from Fix Under Review to Resolved
resolved in https://github.com/ceph/ceph/pull/41931
backports are tracked in https://tracker.ceph.com/issues/51219