Project

General

Profile

Actions
Copy link

Bug #53428

open

Access Denied for read subuser during s3GetLifecycleConfiguration

Added by Rafal Wadolowski over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

When user is trying to get information about bucket it gets:

$ s3cmd -c ro-s3.cfg info s3://bucket
s3://bucket/ (bucket):
Location: default
Payer: BucketOwner
ERROR: Access to bucket 'bucket' was denied
ERROR: S3 error: 403 (AccessDenied)

From logs the last call is s3GetLifecycleConfiguration which requires RGW_PERM_READ_ACP

User used to get information is created with command
radosgw-admin subuser create --uid=user1 --subuser=user1:userro --access=read

{
    "user_id": "user1",
    "display_name": "user1",
    "email": "",
    "suspended": 0,
    "max_buckets": 0,
    "subusers": [
        {
            "id": "user1:userro",
            "permissions": "read" 
        }
    ],
    "keys": [
        {
            "user": "user1:userro",
            "access_key": "xx",
            "secret_key": "xx" 
        },
        {
            "user": "user1",
            "access_key": "xx",
            "secret_key": "xx" 
        }
    ],
    "swift_keys": [
        {
            "user": "user1:userro",
            "secret_key": "xxxx" 
        }
    ],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle server signature=7a79aa1c413e6a7539f016e5ef50520d2d73d7e4f3b86c576ab6d7c83f17d741
2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle client signature=7a79aa1c413e6a7539f016e5ef50520d2d73d7e4f3b86c576ab6d7c83f17d741
2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle compare=0
2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle rgw::auth::s3::LocalEngine granted access
2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle rgw::auth::s3::AWSAuthStrategy granted access
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle normalizing buckets and tenants
2021-11-29 20:33:44.293 7f00aba8f700 10 s->object=<NULL> s->bucket=bucket
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle init permissions
2021-11-29 20:33:44.293 7f00aba8f700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>user1</ID><DisplayName>user1</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>user1</ID><DisplayName>user1</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2021-11-29 20:33:44.293 7f00aba8f700 20 get_system_obj_state: rctx=0x7f00e9e82050 obj=default.rgw.meta:users.uid:user1 state=0x5586729817a0 s->prefetch_data=0
2021-11-29 20:33:44.293 7f00aba8f700 10 cache get: name=default.rgw.meta+users.uid+user1 : hit (requested=0x6, cached=0x17)
2021-11-29 20:33:44.293 7f00aba8f700 20 get_system_obj_state: s->obj_tag was set empty
2021-11-29 20:33:44.293 7f00aba8f700 20 Read xattr: user.rgw.idtag
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle recalculating target
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle reading permissions
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle init op
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle verifying op mask
2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle required_mask= 1 user.op_mask=7
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle verifying op permissions
2021-11-29 20:33:44.293 7f00aba8f700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_status: e=0, sent=24, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_content_length: e=0, sent=21, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::complete_header: e=0, sent=185, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::set_account: e=1
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_body: e=1, sent=231, total=0
2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::complete_request: e=1, sent=0, total=231
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle op status=0
2021-11-29 20:33:44.293 7f00aba8f700  2 req 5 0.000s s3:get_lifecycle http status=403
2021-11-29 20:33:44.293 7f00aba8f700  1 ====== req done req=0x7f00e9e84770 op status=0 http_status=403 latency=0s ======

No data to display

Actions
Copy link

Also available in: Atom PDF