Bug #58929
openBucket policy with wrong "resource" works on all bucket
0%
Description
On our ceph cluster, running Pacific 16.2.11, we have setup rgw to be a S3 backend.
One of our user messed up his bucket policy, but his setup was working.
We then tried various setup, we saw that any entries in "resource" that is wrong is simply discarded, and if the "resource" entry is empty (or only has wrong values), the policy is applied to all the objects on the bucket.
Example of weird but kinda working policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<tenant>:user/<user>"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"Trololo"
]
}
]
}
Or
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<tenant>:user/<user>"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
]
}
]
}
Is this the intended way to work? I was more expecting that an empty "resource" would not work on any object.
Updated by Casey Bodley about 1 year ago
- Assignee set to Adam Emerson
- Tags set to iam
- Backport set to pacific quincy reef
Updated by Matt Benjamin 12 months ago
Adam,
is this the same as or related to:
commit 3185a5bd52d9a4374c72d9fe46027e8e3d49e4ce Author: Adam C. Emerson <aemerson@redhat.com> Date: Mon Dec 12 20:40:33 2022 -0500 rgw: Add `rgw_policy_reject_invalid_principals` and messages Reject policies with invalid principals by default and provide more useful error messages while doing so. (Log them but do *not* reject the policy if it's set to false.) Signed-off-by: Adam C. Emerson <aemerson@redhat.com> (cherry picked from commit 0dd2ef42459776111d749e5f11e0da2c25bc3ef1) Conflicts: src/common/options/rgw.yaml.in - Different options upstream than down src/rgw/rgw_iam_policy.cc - Spacing Resolves: rhbz#2153775 Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Matt
Updated by Adam Emerson 12 months ago
Matt Benjamin wrote:
Adam,
is this the same as or related to:
[...]
Matt
It's related, we ignore unknown resources rather than erroring on them to make mirroring easier.
I can add a similar option to error on them like I did for principals.
Updated by Casey Bodley 6 months ago
Is this the intended way to work? I was more expecting that an empty "resource" would not work on any object.
in Statement::eval()
at https://github.com/ceph/ceph/blob/1afba5c/src/rgw/rgw_iam_policy.cc#L1112-L1114:
if (res && resource.empty() && notresource.empty()) {
return Effect::Pass;
}
resource.empty()
will be true whether a Resource
array was specified and empty, or not specified at all. we may need separate handling for the 'specified but empty' case?
do we know how aws handles this? the docs don't say anything about this empty case in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html#reference_policies_elements_resource_multiple-resources
Updated by Casey Bodley 6 months ago
sorry, return Effect::Pass
should result in the entire Statement
being skipped - so the "Effect": "Allow"
would not grant access to the request, nor would it deny access. are you sure access isn't granted otherwise, based on bucket ownership or ACLs?
Updated by Casey Bodley 6 months ago
- Status changed from Triaged to Need More Info
Updated by Luis Domingues 6 months ago
The user for which the policy is created is not the owner of the bucket, so setting a policy is the way to grant the user access to the bucket. I can check again but from what I remember, the user has no access to the bucket prior the creation of the policy.