Bug 1974674

Summary: Session policies restrict permissions granted by Identity based policies and/ or Resource policies. RGW incorrectly evaluates it currently.
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Pritha Srivastava <prsrivas>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Vidushi Mishra <vimishra>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2CC: cbodley, ceph-eng-bugs, ceph-qe-bugs, gsitlani, kbader, mbenjamin, mkasturi, sweil, tserlin, vimishra
Target Milestone: ---   
Target Release: 4.2z3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.11-187.el8cp, ceph-14.2.11-187.el7cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2006193 2030617 (view as bug list) Environment:
Last Closed: 2021-09-27 18:26:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2006193, 2030617    

Description Pritha Srivastava 2021-06-22 09:41:19 UTC 
Description of problem:
Session policies are not evaluated correctly in RGW currently.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create a role and attach a permission policy to the role.
2. Pass a session policy to AssumeRole* call, which grants more permission than the permission policy.
3. Test the temporary credentials to perform s3 operations.

Actual results:
The temporary credentials have permission which is more than the permission granted by Role permission policy.

Expected results:
Session policies can only restrict the permissions granted by role's permission policy.

Additional info:
Comment 10 errata-xmlrpc 2021-09-27 18:26:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3670