Project

General

Profile

Actions
Copy link

Bug #53423

open

Calling list_buckets after assuming a role lists all my buckets, not their buckets

Added by Sam Mesterton-Gibbons over 2 years ago. Updated over 2 years ago.

Status:
Triaged
Priority:
Normal
Assignee:
Pritha Srivastava
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v16.2.6
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Hi,

I've been testing out the AssumeRole example in https://docs.ceph.com/en/latest/radosgw/STS/#examples and it seems calling the list_buckets() method on the S3 client returns a list of my buckets, rather than the buckets in the project I assumed a role in.

Using the example given on that page, after substituting in relevant credentials for two different users I see a listing of buckets for the TESTER1 user, rather than the expected list of buckets for the TESTER user. (In my case this is actually two Openstack projects, with the Principal changed to arn:aws:iam::${PROJECT_ID}:root).

Otherwise assuming a role works as expected - for example calling `list_objects_v2` on a bucket lists objects in buckets owned by TESTER, but not buckets owned by TESTER1.

I've also tried this on AWS with two accounts, and it works as you'd expect: I see a list of buckets in the resource owner's (e.g. TESTER) account, not the resource accessor (e.g. TESTER1) account.

I'm using Ceph Pacific 16.2.6, integrated with Openstack Wallaby.

Cheers

Files

Download all files
sts-docs-example-redacted.py (2.08 KB) sts-docs-example-redacted.py STS example adapted for Keystone usage, with credentials removed Sam Mesterton-Gibbons, 12/01/2021 11:27 AM
bucket_list_match.log (26.7 KB) bucket_list_match.log Log output from running sts-docs-example-redacted.py Sam Mesterton-Gibbons, 12/01/2021 11:28 AM
Actions
Copy link

Also available in: Atom PDF