DescriptionPritha Srivastava
2021-06-22 09:47:21 UTC
From upstream tracker:
I am using 15.2.7 on CentOS 8, and am using awscli
1. If I access a bucket with the bucket owner credentials, and hence full access, including s3:ListBucket, and execute a head-object on a non-existent object, I get 404 Not Found. This is expected
2. If I access a bucket as a user without any permissions to the bucket, but first assuming a role via (sts assume-role) that grants me s3:* on the bucket, which includes s3:ListBucket, I get 403 Forbidden. (If the object exists I get the header back).
On AWS, using the same role and policy, (adjusting for usernames and bucket names) if I do #2, I get 404 Not Found, which is what I expect, given that I have s3:ListBucket on that bucket
According to the AWS documentation at: https://docs.aws.amazon.com/cli/latest/reference/s3api/head-object.html , If I have s3:ListBucket, which the role policy gives me, then I should get 404 Not found if I do head-object on a non-existent object.
Thus this appears to be a bug. I found the following bug from the past that seems similar but for the bucket owner and/or bucket attached policies: https://tracker.ceph.com/issues/38638
This is causing our software to not work on Ceph but fine on AWS.
I have attached a doctored sample policy that has s3:*, originally retrieved via aws s3api get-role-policy
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:3670
Comment 15Red Hat Bugzilla
2023-09-15 01:10:20 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days