Bug #58167
openNo Authentication/Authorization for creating topics on RGW
0%
Description
I'm on a containerized Ceph 17.2.5 serving only RGW/S3 clients.
I'm experimenting with notifications for S3 buckets.
I got it working with notifications to HTTP endpoints.
What I did:
Create a topic:
$ cat create_topic.data
Action=CreateTopic
&Name=topictest2
&Attributes.entry.1.key=verify-ssl&Attributes.entry.1.value=false
&Attributes.entry.2.key=use-ssl&Attributes.entry.2.value=false
&Attributes.entry.3.key=OpaqueData&Attributes.entry.3.value=Hallodrio
&Attributes.entry.4.key=push-endpoint&Attributes.entry.4.value=http://helper.example.com/cgi-bin/topictest
&Attributes.entry.5.key=persistent&Attributes.entry.5.value=false
&Attributes.entry.6.key=cloudevents&Attributes.entry.6.value=false
$ curl -v --request POST 'https://rgw.example.com' --data @create_topic.data
<CreateTopicResponse xmlns="https://sns.amazonaws.com/doc/2010-03-31/"><CreateTopicResult><TopicArn>arn:aws:sns:<zonegroup>::topictest2</TopicArn></CreateTopicResult><ResponseMetadata><RequestId>f0904533-f4ed-4d60-886c-4125fcbed97b.4944109.3169009808426767767</RequestId></ResponseMetadata></CreateTopicResponse>
And then created a notification for some user, which I received ok via http.
What surprised me:
There was no authentication/authorization necessary at all to create the topic!
Any <...> could create a million topics that way, probably a nice DoS attack.
There should be a way to prevent that from happening, e.g. at least to only allow authenticated users to create topics.