Project

General

Profile

Bug #58167

No Authentication/Authorization for creating topics on RGW

Added by Ulrich Klein about 2 months ago. Updated 26 days ago.

Status:
Fix Under Review
Priority:
High
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
notification
Backport:
pacific quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

I'm on a containerized Ceph 17.2.5 serving only RGW/S3 clients.

I'm experimenting with notifications for S3 buckets.
I got it working with notifications to HTTP endpoints.

What I did:

Create a topic:
$ cat create_topic.data
Action=CreateTopic
&Name=topictest2
&Attributes.entry.1.key=verify-ssl&Attributes.entry.1.value=false
&Attributes.entry.2.key=use-ssl&Attributes.entry.2.value=false
&Attributes.entry.3.key=OpaqueData&Attributes.entry.3.value=Hallodrio
&Attributes.entry.4.key=push-endpoint&Attributes.entry.4.value=http://helper.example.com/cgi-bin/topictest
&Attributes.entry.5.key=persistent&Attributes.entry.5.value=false
&Attributes.entry.6.key=cloudevents&Attributes.entry.6.value=false

$ curl -v --request POST 'https://rgw.example.com' --data @create_topic.data
<CreateTopicResponse xmlns="https://sns.amazonaws.com/doc/2010-03-31/"><CreateTopicResult><TopicArn>arn:aws:sns:<zonegroup>::topictest2</TopicArn></CreateTopicResult><ResponseMetadata><RequestId>f0904533-f4ed-4d60-886c-4125fcbed97b.4944109.3169009808426767767</RequestId></ResponseMetadata></CreateTopicResponse>

And then created a notification for some user, which I received ok via http.

What surprised me:
There was no authentication/authorization necessary at all to create the topic!
Any <...> could create a million topics that way, probably a nice DoS attack.

There should be a way to prevent that from happening, e.g. at least to only allow authenticated users to create topics.

History

#1 Updated by Yuval Lifshitz about 2 months ago

  • Tracker changed from Feature to Bug
  • Priority changed from Normal to High
  • Regression set to No
  • Severity set to 3 - minor
  • creating a topic by using curl without any user credential is a critical securuty issue.
  • since topics are global definitions, we should probably require special authorization for users that want ot create them

#2 Updated by Ulrich Klein about 2 months ago

In my example in the original comment the curl was run on a node inside the Ceph test cluster (of Apple M1 Max VMs).
I now tried a few more times to make sure it's not just something in the aarch64 env.

1. Run curl on a node inside the M1 Max cluster -> same result

2. Run curl on a node inside an x86 cluster -> same result

3. Run curl on a client outside the cluster (M1) -->
<Error><Code>MethodNotAllowed</Code><RequestId>tx00000ce1848ef805b079e-00638e225d-4b982b-max</RequestId><HostId>4b982b-max-maxzg</HostId></Error>

4. Run curl on a client outside the cluster (x64)--->
<Error><Code>MethodNotAllowed</Code><RequestId>tx0000047227d4836155e5f-00638e233f-a7053-zceph</RequestId><HostId>a7053-zceph-zcephzg</HostId></Error>

So, looks like the curl w/o authentication only works from inside the cluster, at least for me.

#3 Updated by lei cao about 2 months ago

https://github.com/ceph/ceph/pull/49297, i try a PR to avoid anonymous authentication when create topic.

#4 Updated by Casey Bodley about 2 months ago

  • Status changed from New to Fix Under Review
  • Tags set to notification
  • Backport set to pacific quincy
  • Pull request ID set to 49297

#5 Updated by Yuval Lifshitz about 2 months ago

  • Assignee set to Yuval Lifshitz

#6 Updated by Casey Bodley 26 days ago

  • Pull request ID changed from 49297 to 49335

Also available in: Atom PDF