.An object can no longer be deleted even if a bucket or user policy with DENY s3:DeleteObject exists
Previously, this issue was caused by an incorrect value being returned by a method which evaluates policies. In this release, the correct value is being returned.
DescriptionMatt Benjamin (redhat)
2018-11-29 12:51:23 UTC
Description of problem:
An object can still be deleted even if a bucket or user policy with DENY s3:DeleteObject exists.
Version-Release number of selected component (if applicable):
3.2
How reproducible:
100%
Steps to Reproduce (from upstream case):
"""
For example, the testing bucket name is '111', the bucket owner is em_test1
[root@localhost ~]# s3cmd info s3://111
s3://111/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {"Version": "2012-10-17", "Statement": [{"Action": ["s3:PutObject", "s3:DeleteObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test1"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Deny", "Sid": "worm1"}, {"Action": ["s3:GetObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test2"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Allow", "Sid": "worm2"}]}
CORS: none
ACL: em_test1: FULL_CONTROL
We can see that there is a related bucket policy configuration set to bucket 111 which defines that the bucket owner em_test1 can not overwrite (by PutObject) and delete (by DeleteObject) the InterLeave object in the bucket 111.
root@localhost ~]# s3cmd put InterLeave s3://111
upload: 'InterLeave' -> 's3://111/InterLeave' [1 of 1]
37072 of 37072 100% in 0s 3.75 MB/s done
ERROR: S3 error: 403 (AccessDenied)
[root@localhost ~]# s3cmd del s3://111/InterLeave
delete: 's3://111/InterLeave'
Then we really can not overwrite the InterLeave object in bucket 111, but we can still delete it.
"""
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:0475
Description of problem: An object can still be deleted even if a bucket or user policy with DENY s3:DeleteObject exists. Version-Release number of selected component (if applicable): 3.2 How reproducible: 100% Steps to Reproduce (from upstream case): """ For example, the testing bucket name is '111', the bucket owner is em_test1 [root@localhost ~]# s3cmd info s3://111 s3://111/ (bucket): Location: default Payer: BucketOwner Expiration Rule: none Policy: {"Version": "2012-10-17", "Statement": [{"Action": ["s3:PutObject", "s3:DeleteObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test1"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Deny", "Sid": "worm1"}, {"Action": ["s3:GetObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test2"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Allow", "Sid": "worm2"}]} CORS: none ACL: em_test1: FULL_CONTROL We can see that there is a related bucket policy configuration set to bucket 111 which defines that the bucket owner em_test1 can not overwrite (by PutObject) and delete (by DeleteObject) the InterLeave object in the bucket 111. root@localhost ~]# s3cmd put InterLeave s3://111 upload: 'InterLeave' -> 's3://111/InterLeave' [1 of 1] 37072 of 37072 100% in 0s 3.75 MB/s done ERROR: S3 error: 403 (AccessDenied) [root@localhost ~]# s3cmd del s3://111/InterLeave delete: 's3://111/InterLeave' Then we really can not overwrite the InterLeave object in bucket 111, but we can still delete it. """