Project

General

Profile

Bug #59136

Support bucket notification with bucket policy

Added by Anuchaithra Rao about 1 year ago. Updated 12 months ago.

Status:
Pending Backport
Priority:
Normal
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
notifications backport_processed
Backport:
reef, quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

1. Create 2 user(user1 and user2) for tenant1
2. create bucket using user1 of tenant1
3. putbucket notification to created bucket using user1 of tenant1
4. Create 2 user(user1 and user2) for tenant2
5. setbucketpolicy to bucket, so that it will be accesible to all user to perfrom all action (bucket_policy_generated:{'Version': '2012-10-17', 'Statement': [{'Action': ['s3:*'], 'Principal': {'AWS': '*'}, 'Resource': ['arn:aws:s3:::usera225e5b42efa45f3-bucky-4637-0', 'arn:aws:s3:::usera225e5b42efa45f3-bucky-4637-0/*'], 'Effect': 'Allow', 'Sid': 'statement'}]})
6. perform getbucketnotification from all user ---> getting failed with access denied for user1 of tenat1 and user1,user2 of tenant2

tried put with all user --> its working fine

Note: bucket notification feature is not supported with bucket policy observing AccessDenied


Related issues

Copied to rgw - Backport #59232: reef: Support bucket notification with bucket policy Resolved
Copied to rgw - Backport #59233: quincy: Support bucket notification with bucket policy New

History

#1 Updated by Yuval Lifshitz about 1 year ago

  • Source set to Q/A
  • Tags set to notifications

currently when any bucket notification operation is performed on a bucket, we verify that the user that sent the opration is the bucket owner.
any other user, even if permitted to do bucket operations accordign to the bucket policies, will not be allowed to perfrom bucket notification operations.

#2 Updated by Yuval Lifshitz about 1 year ago

  • Backport set to reef, quincy

#3 Updated by Casey Bodley about 1 year ago

  • Assignee set to Yuval Lifshitz

#4 Updated by Casey Bodley 12 months ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 50684

#5 Updated by Casey Bodley 12 months ago

  • Status changed from Fix Under Review to Pending Backport

#6 Updated by Backport Bot 12 months ago

  • Copied to Backport #59232: reef: Support bucket notification with bucket policy added

#7 Updated by Backport Bot 12 months ago

  • Copied to Backport #59233: quincy: Support bucket notification with bucket policy added

#8 Updated by Backport Bot 12 months ago

  • Tags changed from notifications to notifications backport_processed

Also available in: Atom PDF