Bug 2007451
| Summary: | rgw: With policy specifying invalid arn, users can list content of any bucket | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Matt Benjamin (redhat) <mbenjamin> |
| Component: | RGW | Assignee: | Pritha Srivastava <prsrivas> |
| Status: | CLOSED ERRATA | QA Contact: | Vidushi Mishra <vimishra> |
| Severity: | urgent | Docs Contact: | Mary Frances Hull <mhull> |
| Priority: | unspecified | ||
| Version: | 4.2 | CC: | agunn, cbodley, ceph-eng-bugs, ceph-qe-bugs, kbader, mbenjamin, mhull, prsrivas, sweil, tchandra, tserlin, vereddy, vimishra |
| Target Milestone: | --- | ||
| Target Release: | 5.0z1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ceph-16.2.0-134.el8cp | Doc Type: | Bug Fix |
| Doc Text: |
.Policies with invalid Amazon resource name elements no longer lead to privilege escalations
Previously, incorrect handling of invalid Amazon resource name (ARN) elements in IAM policy documents, such as bucket policies, can cause unintentional permissions granted to users who are not part of the policy. With this release, this fix prevents storing policies with invalid ARN elements, or if already stored, correctly evaluates the policies.
|
Story Points: | --- |
| Clone Of: | 2007335 | Environment: | |
| Last Closed: | 2021-11-02 16:39:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1959686 | ||
|
Comment 10
errata-xmlrpc
2021-11-02 16:39:21 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |