Project

General

Profile

Actions
Copy link

Bug #58929

open

Bucket policy with wrong "resource" works on all bucket

Added by Luis Domingues about 1 year ago. Updated 6 months ago.

Status:
Need More Info
Priority:
Normal
Assignee:
Adam Emerson
Target version:
-
% Done:

0%

Source:
Tags:
iam
Backport:
pacific quincy reef
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v16.2.11
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

On our ceph cluster, running Pacific 16.2.11, we have setup rgw to be a S3 backend.
One of our user messed up his bucket policy, but his setup was working.

We then tried various setup, we saw that any entries in "resource" that is wrong is simply discarded, and if the "resource" entry is empty (or only has wrong values), the policy is applied to all the objects on the bucket.

Example of weird but kinda working policies:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<tenant>:user/<user>" 
        ]
      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject" 
      ],
      "Resource": [
        "Trololo" 
      ]
    }
  ]
}

Or

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<tenant>:user/<user>" 
        ]
      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject" 
      ],
      "Resource": [
      ]
    }
  ]
}

Is this the intended way to work? I was more expecting that an empty "resource" would not work on any object.

Actions
Copy link

Also available in: Atom PDF