Bug 1891117

Summary: Adding public-read policy to bucket prevents subsequent authenticated access
Product: [Red Hat Storage] Red Hat OpenShift Container Storage Reporter: Lars Kellogg-Stedman <lars>
Component: Multi-Cloud Object GatewayAssignee: Nimrod Becker <nbecker>
Status: CLOSED DUPLICATE QA Contact: Raz Tamir <ratamir>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.5CC: etamir, jthottan, ocs-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-26 16:13:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lars Kellogg-Stedman 2020-10-23 19:46:17 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

I have created a bucket in Noobaa with the following OBC:

    apiVersion: objectbucket.io/v1alpha1
    kind: ObjectBucketClaim
    metadata:
      name: example-noobaa
    spec:
      generateBucketName: example
      storageClassName: openshift-storage.noobaa.io

This results in a bucket named example-<suffix>, e.g:

  $ oc get configmap example-noobaa -o jsonpath={.data.BUCKET_NAME}
  example-5c934e7d-fba1-46c6-997d-d699229f87df

I would like to grant public read access to this bucket. I am applying the following policy:

    {
      "Version":"2012-10-17",
      "Statement":[
	{
	  "Sid":"PublicRead",
	  "Effect":"Allow",
	  "Principal": "*",
	  "Action":["s3:GetObject", "s3:GetObjectVersion"],
	  "Resource":["arn:aws:s3:::example-5c934e7d-fba1-46c6-997d-d699229f87df/*"]
	}
      ]
    }

Using the aws-cli command:

  $ aws-cli s3api --endpoint https://s3-openshift-storage.apps.cnv.massopen.cloud put-bucket-policy --bucket example-5c934e7d-fba1-46c6-997d-d699229f87df --policy file://policy-noobaa.json

The policy applies successfully, but after this I no longer have normal authenticated access to the bucket:

  $ aws-cli s3 --endpoint https://s3-openshift-storage.apps.cnv.massopen.cloud ls  s3://example-5c934e7d-fba1-46c6-997d-d699229f87df
  An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

If I perform the same sequence of actions using the S3 interface provided by Ceph's radosgw endpoint, it works as expected (I continue to have authenticated access to the bucket even after setting a public-read policy).


Version of all relevant components (if applicable):

OCS 4.5.1 on OCP 4.5.14

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

It makes working with Noobaa-managed buckets largely impossible.

Is there any workaround available to the best of your knowledge?

We've exposed the Ceph RGW endpoint publically and we're working with that instead of Noobaa.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?

3

Can this issue reproducible?

Yes

Can this issue reproduce from the UI?

No

Actual results:

I lost authenticated access to an object bucket after applying a public read policy.

Expected results:

I expected to continue to have access to the bucket.
Comment 3 Lars Kellogg-Stedman 2020-10-26 15:36:15 UTC 
> Did you use 4.5 as stated in the BZ?

Yes, this is with OCS 4.5.1. I don't believe 4.6 has been released yet?