DescriptionPritha Srivastava
2021-09-23 15:22:23 UTC
From upstream tracker:
Hi
I have a role with permission policy like below
{
"Version":"2012-10-17","Statement":[
{
"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla"
}
]
}
or
{
"Version":"2012-10-17","Statement":[
{
"Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket"
}
]
}
User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket
then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.
Description of problem:
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
Comment 1RHEL Program Management
2021-09-23 15:22:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:3670