Bug #58167
openNo Authentication/Authorization for creating topics on RGW
0%
Description
I'm on a containerized Ceph 17.2.5 serving only RGW/S3 clients.
I'm experimenting with notifications for S3 buckets.
I got it working with notifications to HTTP endpoints.
What I did:
Create a topic:
$ cat create_topic.data
Action=CreateTopic
&Name=topictest2
&Attributes.entry.1.key=verify-ssl&Attributes.entry.1.value=false
&Attributes.entry.2.key=use-ssl&Attributes.entry.2.value=false
&Attributes.entry.3.key=OpaqueData&Attributes.entry.3.value=Hallodrio
&Attributes.entry.4.key=push-endpoint&Attributes.entry.4.value=http://helper.example.com/cgi-bin/topictest
&Attributes.entry.5.key=persistent&Attributes.entry.5.value=false
&Attributes.entry.6.key=cloudevents&Attributes.entry.6.value=false
$ curl -v --request POST 'https://rgw.example.com' --data @create_topic.data
<CreateTopicResponse xmlns="https://sns.amazonaws.com/doc/2010-03-31/"><CreateTopicResult><TopicArn>arn:aws:sns:<zonegroup>::topictest2</TopicArn></CreateTopicResult><ResponseMetadata><RequestId>f0904533-f4ed-4d60-886c-4125fcbed97b.4944109.3169009808426767767</RequestId></ResponseMetadata></CreateTopicResponse>
And then created a notification for some user, which I received ok via http.
What surprised me:
There was no authentication/authorization necessary at all to create the topic!
Any <...> could create a million topics that way, probably a nice DoS attack.
There should be a way to prevent that from happening, e.g. at least to only allow authenticated users to create topics.
Updated by Yuval Lifshitz over 1 year ago
- Tracker changed from Feature to Bug
- Priority changed from Normal to High
- Regression set to No
- Severity set to 3 - minor
- creating a topic by using curl without any user credential is a critical securuty issue.
- since topics are global definitions, we should probably require special authorization for users that want ot create them
Updated by Ulrich Klein over 1 year ago
In my example in the original comment the curl was run on a node inside the Ceph test cluster (of Apple M1 Max VMs).
I now tried a few more times to make sure it's not just something in the aarch64 env.
1. Run curl on a node inside the M1 Max cluster -> same result
2. Run curl on a node inside an x86 cluster -> same result
3. Run curl on a client outside the cluster (M1) -->
<Error><Code>MethodNotAllowed</Code><RequestId>tx00000ce1848ef805b079e-00638e225d-4b982b-max</RequestId><HostId>4b982b-max-maxzg</HostId></Error>
4. Run curl on a client outside the cluster (x64)--->
<Error><Code>MethodNotAllowed</Code><RequestId>tx0000047227d4836155e5f-00638e233f-a7053-zceph</RequestId><HostId>a7053-zceph-zcephzg</HostId></Error>
So, looks like the curl w/o authentication only works from inside the cluster, at least for me.
Updated by lei cao over 1 year ago
https://github.com/ceph/ceph/pull/49297, i try a PR to avoid anonymous authentication when create topic.
Updated by Casey Bodley over 1 year ago
- Status changed from New to Fix Under Review
- Tags set to notification
- Backport set to pacific quincy
- Pull request ID set to 49297
Updated by Casey Bodley over 1 year ago
- Pull request ID changed from 49297 to 49335
Updated by Casey Bodley about 1 year ago
- Status changed from Fix Under Review to Pending Backport
Updated by Backport Bot about 1 year ago
- Copied to Backport #58905: pacific: No Authentication/Authorization for creating topics on RGW added
Updated by Backport Bot about 1 year ago
- Copied to Backport #58906: quincy: No Authentication/Authorization for creating topics on RGW added
Updated by Backport Bot about 1 year ago
- Tags changed from notification to notification backport_processed
Updated by Casey Bodley 6 months ago
@Yuval this is a high-priority bug fix, but we never backported it to pacific or quincy. could you please prepare those, or close the backport trackers as 'rejected' if you don't think they're needed?