Bug 2299642

Summary: [CEE] CORS ACL's prevents access to buckets with presigned PUT URI's
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Michaela Lang <milang>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.1CC: akraj, bkunal, ceph-eng-bugs, cephqe-warriors, ckulal, csharpe, hmaheswa, mbenjamin, mcaldeir, tserlin
Target Milestone: ---   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-19.1.0-2.el9cp Doc Type: Bug Fix
Doc Text:
.Pre-signed URLs are now accepted with Keystone EC2 authentication Previously, a properly constructed pre-signed HTTP PUT URLs failed unexpectedly, with a `403/Access Denied` error. This happened because of a change in processing of HTTP OPTIONS requests containing CORS changed the implied AWSv4 request signature calculation for some pre-signed URLs when authentication was through Keystone EC2 (Swift S3 emulation). With this fix, a new workflow for CORS HTTP OPTIONS is introduced for the Keystone EC2 case and pre-signed URLs no longer unexpectedly fail.
 Story Points: ---
Clone Of:
: 2302281 (view as bug list) Environment:
Last Closed: 2024-11-25 09:03:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2302281, 2317218    

Description Michaela Lang 2024-07-24 07:21:32 UTC 
Description of problem:
As described in upstream https://tracker.ceph.com/issues/64308 having CORS set on the bucket and adding CORS headers to presigned PUT requests fails with 403 due to the header `x-amz-acl` not being considered when signing.


Version-Release number of selected component (if applicable):
7.1 (upstream  17.2.7+ based)

How reproducible:
everytime 

Steps to Reproduce:
1. set bucket acl
```
aws s3api put-bucket-acl --bucket=<user> --cors-configuration='{"CORSRules":[{"AllowedHeaders":["Authorization"],"AllowedMethods":["GET","PUT"],"AllowedOrigins":["example.com"],"ExposeHeaders":["ETag","x-amz-request-id"],"MaxAgeSeconds":3000}]}'
```

2. create presigned put uri
```
presigned = s3.generate_presigned_url(
    ClientMethod="put_object",
    HttpMethod='PUT',
    Params={
        "Bucket": "bucket",
        "Key": "test",
        "ACL": "private",
    },
)
```

3. use curl with CORS headers to post content

```
curl -X PUT 'https://s3.example.com/user1/plain-test?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=user1%2F20240724%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240724T070246Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host%3Bx-amz-acl&X-Amz-Signature=6d2f5ca1845c5fb71890588f82480b320281bc6bb2e2ab93d12fdfc1d25a728f' -d 'testing' -H 'origin: example.com' -H 'access-control-request-method: PUT' -d 'testing curl'
```


Actual results:
```
HTTP code: 403
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><RequestId>tx000000ad5acbcf928f265-0066a0a716-1f39666-us-east-1</RequestId><HostId>1f39666-us-east-1-us-east-1</HostId></Error>
```


Expected results:
```
HTTP code: 200
```

Additional info:
There are two mitigations right now in place. Both are not sufficient as:

Workaround1 (drop ACL from presigned PUT):
```
presigned = s3.generate_presigned_url(
    ClientMethod="put_object",
    HttpMethod='PUT',
    Params={
        "Bucket": "bucket",
        "Key": "test",
    },
)
``` 

does not result in 403 but implies access to the source code of the applications (not always possible)

Workaround2 (drop CORS acl from Bucket):
implies unexpected access through third party requests which is the reason to have CORS set.
^^^ 

seem's to be not working out too as the CORS headers would need to be removed prior reaching the RGW endpoint
Comment 9 Manny 2024-08-28 18:01:06 UTC 
Please see KCS Article #7084669, (https://access.redhat.com/solutions/7084669) regarding this issue.

BR
Manny
Comment 15 errata-xmlrpc 2024-11-25 09:03:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216