Bug 1989752

Summary: s3 object lock: PutObjectRetention allows invalid changes to retention mode
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Casey Bodley <cbodley>
Component: RGWAssignee: Casey Bodley <cbodley>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.0CC: cbodley, ceph-eng-bugs, gsitlani, kbader, mbenjamin, sweil, tserlin, uboppana, vereddy, vimishra
Target Milestone: ---   
Target Release: 5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-16.2.0-112.el8cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 08:31:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Casey Bodley 2021-08-03 21:26:00 UTC 
Description of problem:

the PutObjectRetention operation allows changes to the Retention Mode that aren't permitted by AWS S3

notably, rgw allows the retention mode to be changed from COMPLIANCE to GOVERNANCE, which is an unintended workaround that allows the deletion of objects locked in COMPLIANCE mode

from https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html
> In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

rgw also allows the GOVERNANCE mode to be changed to COMPLIANCE without checking for governance bypass permissions. from that same document:
> To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header with any request that requires overriding governance mode. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. create a bucket with object lock enabled
2. upload an object with ObjectLockMode='GOVERNANCE' or 'COMPLIANCE'
3. use the PutObjectRetention api to change the retention mode

Actual results:

PutObjectRetention returns success and changes the retention mode (as long as the new retention date is not earlier than the existing date)

Expected results:

PutObjectRetention returns 403 AccessDenied on invalid changes to retention mode

Additional info:
Comment 1 RHEL Program Management 2021-08-03 21:26:06 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 12 errata-xmlrpc 2021-08-30 08:31:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3294