Bug #52706: With policy specifying invalid arn, users can list content of any bucket - rgw - Ceph

Actions

Copy link

Bug #52706

closed

With policy specifying invalid arn, users can list content of any bucket

Added by Daniel Iwan over 2 years ago. Updated over 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Pritha Srivastava

Target version:

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

2 - major

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

41931

Crash signature (v1):

Crash signature (v2):

Description

I have a role with permission policy like below

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla" 
    }
    ]
}

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket" 
    }
    ]
}

User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket

then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » rgw

Custom queries

Bug #52706

With policy specifying invalid arn, users can list content of any bucket

Updated by Daniel Gryniewicz over 2 years ago

Updated by Daniel Iwan over 2 years ago

Updated by Matt Benjamin over 2 years ago

Updated by Matt Benjamin over 2 years ago

Updated by Matt Benjamin over 2 years ago

Updated by Casey Bodley over 2 years ago