Bug 1361754

Summary: [RGW-LDAP] :- RGW doesn't differentiate between local user and LDAP user with the same name
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: shylesh <shmohan>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED DEFERRED QA Contact: Tejas <tchandra>
Severity: medium Docs Contact: Bara Ancincova <bancinco>
Priority: high    
Version: 2.0CC: anharris, cbodley, ceph-eng-bugs, hklein, hnallurv, kbader, kdreyer, mbenjamin, sweil
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: 5.1   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.An LDAP user can access buckets created by a local RGW user with the same name The RADOS Object Gateway (RGW) does not differentiate between a local RGW user and an LDAP user with the same name. As a consequence, the LDAP user can access the buckets created by the local RGW user. To work around this issue, use different names for RGW and LDAP users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-09 13:18:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1322504, 1383917, 1412948, 1494421    

Description shylesh 2016-07-30 05:06:03 UTC 
Description of problem:
If we have  local rgw user and an LDAP user with the same name then RGW doesn't differentiate between them. so a bucket created by local user will be visible to ldap user. Not sure is this expected behaviour else it will be a security flaw.

Version-Release number of selected component (if applicable):
10.2.2-24redhat1xenial

How reproducible:
Always


Steps to Reproduce:
1.configure rgw , created a local user with name "user1" and create few buckets with keys
2.setup ldap and create an user with same name "user1"
3.from s3 api authenticate ldap user "user1" and try to list buckets

Actual results:
All the buckets of local rgw user "user1" will be listed even though we have userd ldap user's key
Comment 14 Matt Benjamin (redhat) 2018-04-02 12:44:26 UTC 
Pritha's fix has been pending upstream, looks like it can be merged by 4, not needed for 3.x.
Comment 19 Drew Harris 2019-01-31 13:49:55 UTC 
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.
Comment 21 Giridhar Ramaraju 2019-08-05 13:09:00 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 22 Giridhar Ramaraju 2019-08-05 13:10:22 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 24 Yaniv Kaul 2020-07-13 06:14:31 UTC 
We've not fixed this issue in the last 4 years and several releases. No one complained thus far. I suggest close-deferred for the time being.
Comment 25 Yaniv Kaul 2020-12-09 13:18:36 UTC 
(In reply to Yaniv Kaul from comment #24)
> We've not fixed this issue in the last 4 years and several releases. No one
> complained thus far. I suggest close-deferred for the time being.

Closing. Please re-open if relevant.