Bug 2007335

Summary: rgw: With policy specifying invalid arn, users can list content of any bucket
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Pritha Srivastava <prsrivas>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Vidushi Mishra <vimishra>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.2CC: cbodley, ceph-eng-bugs, kbader, mbenjamin, sweil, tserlin, vereddy, vimishra
Target Milestone: ---   
Target Release: 4.2z3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.11-199.el8cp, ceph-14.2.11-199.el7cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2007451 2008858 2008860 (view as bug list) Environment:
Last Closed: 2021-09-27 18:26:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2008858, 2008860    

Description Pritha Srivastava 2021-09-23 15:22:23 UTC 
From upstream tracker:



Hi

I have a role with permission policy like below

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla" 
    }
    ]
}

or

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket" 
    }
    ]
}

User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket

then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 RHEL Program Management 2021-09-23 15:22:30 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 17 errata-xmlrpc 2021-09-27 18:26:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3670