Bug #52779
closedDeleting an object without specifying the version ID is allowed on S3 Object Lock
0%
Description
Ceph Octopus : 15.2.14
In a bucket with locking activated, we are able to delete an object whose retention has not expired when we don't specify a version ID in the delete command.
For example :
Object creation
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api put-object --bucket tests3-worm --key tests3 --body tests3
{
"ETag": "\"24b8e76c8fff12cdd16c23620bfc8930\"",
"VersionId": "HTVTbx8NPhX7t10z1u4ZoZUW0-kkZKv"
}
Object retention
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api get-object-retention --bucket tests3-worm --key tests3
{
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2021-10-06T13:07:09.625657+00:00"
}
}
List object versions
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api list-object-versions --bucket tests3-worm --key tests3
{
"IsTruncated": false,
"KeyMarker": "tests3",
"VersionIdMarker": "",
"Versions": [
{
"ETag": "\"24b8e76c8fff12cdd16c23620bfc8930\"",
"Size": 555,
"StorageClass": "STANDARD",
"Key": "tests3",
"VersionId": "HTVTbx8NPhX7t10z1u4ZoZUW0-kkZKv",
"IsLatest": true,
"LastModified": "2021-09-29T13:07:09.625000+00:00",
"Owner": {
"DisplayName": "test-s3",
"ID": "TENANT$test-s3"
}
},
{
"ETag": "\"7fa92a0923a3eaaeb5328d5176923957\"",
"Size": 530,
"StorageClass": "STANDARD",
"Key": "tests3",
"VersionId": "IdsG9n6QV6t0yg4Yx.eHuweg-yOvyZz",
"IsLatest": false,
"LastModified": "2021-09-29T13:06:17.606000+00:00",
"Owner": {
"DisplayName": "test-s3",
"ID": "TENANT$test-s3"
}
}
],
"Name": "tests3-worm",
"Prefix": "",
"MaxKeys": 1000,
"EncodingType": "url"
}
Object deletion (version id specified)
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api delete-object --bucket tests3-worm --key tests3 --version-id=HTVTbx8NPhX7t10z1u4ZoZUW0-kkZKv
An error occurred (AccessDenied) when calling the DeleteObject operation: Unknown
Normal behavior : the deletion is not allowed
Object deletion (version id not specified)
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api delete-object --bucket tests3-worm --key tests3
{
"DeleteMarker": true,
"VersionId": "fuPtbOyFg6kUNxQUylbh9uWzKFEooIH"
}
The object is deleted
List object versions after delete
$ aws --profile=s3-rec_tests3 --endpoint-url https://s3-rec s3api list-object-versions --bucket tests3-worm --key tests3
{
"IsTruncated": false,
"KeyMarker": "tests3",
"VersionIdMarker": "",
"Versions": [
{
"ETag": "\"24b8e76c8fff12cdd16c23620bfc8930\"",
"Size": 555,
"StorageClass": "STANDARD",
"Key": "tests3",
"VersionId": "HTVTbx8NPhX7t10z1u4ZoZUW0-kkZKv",
"IsLatest": false,
"LastModified": "2021-09-29T13:07:09.625000+00:00",
"Owner": {
"DisplayName": "test-s3",
"ID": "TENANT$test-s3"
}
},
{
"ETag": "\"7fa92a0923a3eaaeb5328d5176923957\"",
"Size": 530,
"StorageClass": "STANDARD",
"Key": "tests3",
"VersionId": "IdsG9n6QV6t0yg4Yx.eHuweg-yOvyZz",
"IsLatest": false,
"LastModified": "2021-09-29T13:06:17.606000+00:00",
"Owner": {
"DisplayName": "test-s3",
"ID": "TENANT$test-s3"
}
}
],
"DeleteMarkers": [
{
"Owner": {
"DisplayName": "test-s3",
"ID": "TENANT$test-s3"
},
"Key": "tests3",
"VersionId": "fuPtbOyFg6kUNxQUylbh9uWzKFEooIH",
"IsLatest": true,
"LastModified": "2021-09-29T13:10:12.100000+00:00"
}
],
"Name": "tests3-worm",
"Prefix": "",
"MaxKeys": 1000,
"EncodingType": "url"
}
Since the deleted object is still available as an older version, the impact is moderate but still : Is it normal behavior ?
Updated by Casey Bodley over 2 years ago
- Status changed from New to Closed
this is allowed by aws s3. please see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-lifecycle
Although you can't delete a protected object version, you can still create a delete marker for that object. Placing a delete marker on an object doesn't delete the object or its object versions.