Bug #43226: rgw: object version can be deleted without TOTP on bucket that has MFA Delete enabled. - rgw - Ceph

Bug #43226

Updated by Alfonso Martínez over 4 years ago

It seems that an object version can be deleted without TOTP on bucket that has MFA Delete enabled. 
 - Environment: CentOS 7 + ceph octopus (master) installed through rpm packages built in shaman. 
 - TOTP generator: FreeOTP (Android). 

 <pre> 
 [root@ceph-rpm ceph]# ceph -v 
 ceph version 15.0.0-8192-gb976dc5 (b976dc5aa33344fd4736a8ae3a4dce9d4351864d) octopus (dev) 

 [root@ceph-rpm ceph]# radosgw-admin mfa create --uid=dev --totp-serial=1 --totp-seed=23456723 --totp-seed-type=base32 

 [root@ceph-rpm ceph]# alias aws="aws --endpoint-url=http://localhost:8000" 

 [root@ceph-rpm ceph]# aws s3api create-bucket --bucket test 

 [root@ceph-rpm ceph]# aws s3api list-buckets 
 { 
     "Owner": { 
         "DisplayName": "Dev Admin",  
         "ID": "dev" 
     },  
     "Buckets": [ 
         { 
             "CreationDate": "2019-12-10T11:49:53.781Z",  
             "Name": "test" 
         } 
     ] 
 } 

 [root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test 
 [root@ceph-rpm ceph]# 

 [root@ceph-rpm ceph]# aws s3api put-bucket-versioning --bucket test --versioning-configuration '{"Status":"Enabled","MFADelete":"Enabled"}' --mfa '1 221402' 

 [root@ceph-rpm ceph]# aws s3api get-bucket-versioning --bucket test 
 { 
     "Status": "Enabled",  
     "MFADelete": "Enabled" 
 } 

 [root@ceph-rpm ceph]# aws s3api put-object --bucket test --key example --body CONTRIBUTING.rst 
 { 
     "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x",  
     "ETag": "\"2551b46bd421838b7a5fca325f12818c\"" 
 } 

 [root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example 
 { 
     "Name": "test",  
     "Versions": [ 
         { 
             "LastModified": "2019-12-10T12:12:41.776Z",  
             "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x",  
             "ETag": "\"2551b46bd421838b7a5fca325f12818c\"",  
             "StorageClass": "STANDARD",  
             "Key": "example",  
             "Owner": { 
                 "DisplayName": "Dev Admin",  
                 "ID": "dev" 
             },  
             "IsLatest": true,  
             "Size": 640 
         } 
     ],  
     "MaxKeys": 1000,  
     "Prefix": "",  
     "KeyMarker": "example",  
     "IsTruncated": false,  
     "VersionIdMarker": "" 
 } 

 [root@ceph-rpm ceph]# aws s3api delete-object --bucket test --key example --version-id ZrRv3hX0CgbjNo9j4egnexvFTlPa--x 
 { 
     "VersionId": "ZrRv3hX0CgbjNo9j4egnexvFTlPa--x" 
 } 
 [root@ceph-rpm ceph]# aws s3api list-object-versions --bucket test --key example 
 { 
     "MaxKeys": 1000,  
     "Prefix": "",  
     "Name": "test",  
     "KeyMarker": "example",  
     "IsTruncated": false,  
     "VersionIdMarker": "" 
 } 
 </pre>

Back

Project

General

Profile

Ceph » rgw

Bug #43226