Actions
Bug #58929
openBucket policy with wrong "resource" works on all bucket
% Done:
0%
Source:
Tags:
iam
Backport:
pacific quincy reef
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
On our ceph cluster, running Pacific 16.2.11, we have setup rgw to be a S3 backend.
One of our user messed up his bucket policy, but his setup was working.
We then tried various setup, we saw that any entries in "resource" that is wrong is simply discarded, and if the "resource" entry is empty (or only has wrong values), the policy is applied to all the objects on the bucket.
Example of weird but kinda working policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<tenant>:user/<user>"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"Trololo"
]
}
]
}
Or
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<tenant>:user/<user>"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
]
}
]
}
Is this the intended way to work? I was more expecting that an empty "resource" would not work on any object.
Actions