Actions
Bug #53428
openAccess Denied for read subuser during s3GetLifecycleConfiguration
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
When user is trying to get information about bucket it gets:
$ s3cmd -c ro-s3.cfg info s3://bucket
s3://bucket/ (bucket):
Location: default
Payer: BucketOwner
ERROR: Access to bucket 'bucket' was denied
ERROR: S3 error: 403 (AccessDenied)
From logs the last call is s3GetLifecycleConfiguration which requires RGW_PERM_READ_ACP
User used to get information is created with command
radosgw-admin subuser create --uid=user1 --subuser=user1:userro --access=read
{ "user_id": "user1", "display_name": "user1", "email": "", "suspended": 0, "max_buckets": 0, "subusers": [ { "id": "user1:userro", "permissions": "read" } ], "keys": [ { "user": "user1:userro", "access_key": "xx", "secret_key": "xx" }, { "user": "user1", "access_key": "xx", "secret_key": "xx" } ], "swift_keys": [ { "user": "user1:userro", "secret_key": "xxxx" } ], "caps": [], "op_mask": "read, write, delete", "default_placement": "", "default_storage_class": "", "placement_tags": [], "bucket_quota": { "enabled": false, "check_on_raw": false, "max_size": -1, "max_size_kb": 0, "max_objects": -1 }, "user_quota": { "enabled": false, "check_on_raw": false, "max_size": -1, "max_size_kb": 0, "max_objects": -1 }, "temp_url_keys": [], "type": "rgw", "mfa_ids": [] }
2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle server signature=7a79aa1c413e6a7539f016e5ef50520d2d73d7e4f3b86c576ab6d7c83f17d741 2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle client signature=7a79aa1c413e6a7539f016e5ef50520d2d73d7e4f3b86c576ab6d7c83f17d741 2021-11-29 20:33:44.293 7f00aba8f700 15 req 5 0.000s s3:get_lifecycle compare=0 2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle rgw::auth::s3::LocalEngine granted access 2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle rgw::auth::s3::AWSAuthStrategy granted access 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle normalizing buckets and tenants 2021-11-29 20:33:44.293 7f00aba8f700 10 s->object=<NULL> s->bucket=bucket 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle init permissions 2021-11-29 20:33:44.293 7f00aba8f700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>user1</ID><DisplayName>user1</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>user1</ID><DisplayName>user1</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy> 2021-11-29 20:33:44.293 7f00aba8f700 20 get_system_obj_state: rctx=0x7f00e9e82050 obj=default.rgw.meta:users.uid:user1 state=0x5586729817a0 s->prefetch_data=0 2021-11-29 20:33:44.293 7f00aba8f700 10 cache get: name=default.rgw.meta+users.uid+user1 : hit (requested=0x6, cached=0x17) 2021-11-29 20:33:44.293 7f00aba8f700 20 get_system_obj_state: s->obj_tag was set empty 2021-11-29 20:33:44.293 7f00aba8f700 20 Read xattr: user.rgw.idtag 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle recalculating target 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle reading permissions 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle init op 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle verifying op mask 2021-11-29 20:33:44.293 7f00aba8f700 20 req 5 0.000s s3:get_lifecycle required_mask= 1 user.op_mask=7 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle verifying op permissions 2021-11-29 20:33:44.293 7f00aba8f700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_status: e=0, sent=24, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_content_length: e=0, sent=21, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_header: e=0, sent=0, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::complete_header: e=0, sent=185, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::set_account: e=1 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::send_body: e=1, sent=231, total=0 2021-11-29 20:33:44.293 7f00aba8f700 30 AccountingFilter::complete_request: e=1, sent=0, total=231 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle op status=0 2021-11-29 20:33:44.293 7f00aba8f700 2 req 5 0.000s s3:get_lifecycle http status=403 2021-11-29 20:33:44.293 7f00aba8f700 1 ====== req done req=0x7f00e9e84770 op status=0 http_status=403 latency=0s ======
No data to display
Actions