Bug #58167

No Authentication/Authorization for creating topics on RGW

Added by Ulrich Klein about 2 months ago. Updated 26 days ago.

Fix Under Review
Target version:
% Done:


Community (user)
pacific quincy
3 - minor
Affected Versions:
Pull request ID:
Crash signature (v1):
Crash signature (v2):


I'm on a containerized Ceph 17.2.5 serving only RGW/S3 clients.

I'm experimenting with notifications for S3 buckets.
I got it working with notifications to HTTP endpoints.

What I did:

Create a topic:
$ cat

$ curl -v --request POST '' --data
<CreateTopicResponse xmlns=""><CreateTopicResult><TopicArn>arn:aws:sns:<zonegroup>::topictest2</TopicArn></CreateTopicResult><ResponseMetadata><RequestId>f0904533-f4ed-4d60-886c-4125fcbed97b.4944109.3169009808426767767</RequestId></ResponseMetadata></CreateTopicResponse>

And then created a notification for some user, which I received ok via http.

What surprised me:
There was no authentication/authorization necessary at all to create the topic!
Any <...> could create a million topics that way, probably a nice DoS attack.

There should be a way to prevent that from happening, e.g. at least to only allow authenticated users to create topics.


#1 Updated by Yuval Lifshitz about 2 months ago

  • Tracker changed from Feature to Bug
  • Priority changed from Normal to High
  • Regression set to No
  • Severity set to 3 - minor
  • creating a topic by using curl without any user credential is a critical securuty issue.
  • since topics are global definitions, we should probably require special authorization for users that want ot create them

#2 Updated by Ulrich Klein about 2 months ago

In my example in the original comment the curl was run on a node inside the Ceph test cluster (of Apple M1 Max VMs).
I now tried a few more times to make sure it's not just something in the aarch64 env.

1. Run curl on a node inside the M1 Max cluster -> same result

2. Run curl on a node inside an x86 cluster -> same result

3. Run curl on a client outside the cluster (M1) -->

4. Run curl on a client outside the cluster (x64)--->

So, looks like the curl w/o authentication only works from inside the cluster, at least for me.

#3 Updated by lei cao about 2 months ago, i try a PR to avoid anonymous authentication when create topic.

#4 Updated by Casey Bodley about 2 months ago

  • Status changed from New to Fix Under Review
  • Tags set to notification
  • Backport set to pacific quincy
  • Pull request ID set to 49297

#5 Updated by Yuval Lifshitz about 2 months ago

  • Assignee set to Yuval Lifshitz

#6 Updated by Casey Bodley 26 days ago

  • Pull request ID changed from 49297 to 49335

Also available in: Atom PDF