Bug 2293141

Summary: [rgw] ratelimit is not enforced after assume-role / role is changed
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Steve Baldwin <sbaldwin>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Vidushi Mishra <vimishra>
Severity: high Docs Contact: Akash Raj <akraj>
Priority: unspecified    
Version: 7.0CC: akraj, bkunal, ceph-eng-bugs, cephqe-warriors, mbenjamin, mhackett, prsrivas, rpollack, tserlin, vereddy, vimishra
Target Milestone: ---   
Target Release: 7.1z1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-18.2.1-204.el9cp Doc Type: Bug Fix
Doc Text:
.Quota and rate limit settings for assume-roles are properly enforced for S3 requests with temporary credentials Previously, information of a user using an assume-role were not loaded successfully from the backend store when temporary credentials were being used to serve an S3 request. As a result, the user quota or rate limit settings were not applied with the temporary credentials. With this fix, the information is loaded from the backend store, even when authenticating with temporary credentials and all settings are applied successfully.
 Story Points: ---
Clone Of:
: 2298710 2298711 (view as bug list) Environment:
Last Closed: 2024-08-07 11:20:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2298710    
Bug Blocks: 2298711    

Description Steve Baldwin 2024-06-19 22:50:20 UTC 
Description of problem:

While testing user rate limits and quotas we found that things are enforced properly when using a user's access key + secret directly, but when they assume a role they are no longer limited.  In both cases the user statistics are updated correctly, so all actions are being credited back to the original user as expected and only the rate limit/quota enforcement is being bypassed.


Version-Release number of selected component (if applicable):

ceph 18.2.0-192 / 7.0z2

How reproducible:
Always

Steps to Reproduce (see detailed steps in 1st comment):
-- Create LimitTest user, max ten objects
-- Set quota to 10 objects
-- Set limit to 10 operations / minute
-- Create LimitRole role (Assume policy:)
-- Create role policy that allows all actions

Actual results:
The quota/rate limit is not enforced when role is changed.
Expected results:
The quota/rate limits enforcement should persist when role is changed.

Additional info:
Comment 25 errata-xmlrpc 2024-08-07 11:20:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.1 security and bug fix update.), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:5080
Comment 26 Red Hat Bugzilla 2024-12-06 04:25:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days