Bug 2284154

Summary: [IBM Support] S3 session policy behavior on batch deletes returns AccessDenied for all keys
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Mike Hackett <mhackett>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: akraj, bkunal, ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, rpollack, tserlin, vereddy
Target Milestone: ---Keywords: AutoVerified
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.1.1-49.el9cp Doc Type: Bug Fix
Doc Text:
.Batch object deleting is now allowed, with IAM policy permissions Previously, during a batch delete process, also known as multi object delete, due to the incorrect evaluation of IAM policies returned `AccessDenied` output if no explicit or implicit deny were present. The `AccessDenied` occurred even if there were Allow privileges. As a result, batch deleting fails with the `AccessDenied` error. With this fix, the policies are evaluated as expected and batch deleting succeeds, when IAM policies are enabled.
 Story Points: ---
Clone Of: 2284153 Environment:
Last Closed: 2024-11-25 09:01:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2284153, 2298712    
Bug Blocks: 2317218    

Description Mike Hackett 2024-05-31 20:07:32 UTC 
+++ This bug was initially created as a clone of Red HatBug #2284153 +++

Description of problem:
The customer exclusively uses STS/IAM roles for access to buckets and objects.  In addition, they use session policies provided to AssumeRole calls to scope session permissions for our users.
They are observing that when they provide a session policy of any kind, including one that provides all permissions, then the DeleteObjects call (batch delete) always returns AccessDenied for all keys.  When they try to delete the same objects with DeleteObject (single delete) it works, so there is something about the batch delete operation that is impacting the access check as the policy does provide delete access to the objects in question.
If they do the same operations with the same policy as role policy instead of session policy all operations pass as expected.  The customer needs to get to the root cause of the permission discrepancy when using session policies for this API as this is critical to their use case of multi-user shared buckets with dynamic permissions.

Version-Release number of selected component (if applicable):
IBM Storage Ceph 7.0

How reproducible:
Consistently

Steps to Reproduce:
Customer provided scripts that will be attached to BZ to reproduce

Actual results:
Batch delete do not function.

Expected results:
Batch delete should function as expected with session policy.

Additional info:
Comment 5 errata-xmlrpc 2024-11-25 09:01:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216