Bug 2345305

Summary: [rgw][server-access-logging][RFE]: add support for configuring permission for a bucket to be used as a target bucket for log object delivery
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Yuval Lifshitz <ylifshit>
Status: VERIFIED --- QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin, ylifshit
Target Milestone: ---Keywords: FutureFeature
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-107.el9cp Doc Type: Bug Fix
Doc Text:
.Target buckets now needs a bucket policy for users to write logs to them Previously, no permission checks were run on the target bucket for bucket logging. As a result, any user could write logs to a target bucket, without needing specific permissions. With this fix, a bucket policy must be added on a target to allow specific users to write logs to them.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2351689    

Description Hemanth Sai 2025-02-12 17:45:09 UTC 
Description of problem:
add support for configuring permission to allow a bucket being used as a target bucket for log delivery
Currently I can configure bucket logging on a bucket with target bucket as another user bucket also. without any access another users can use my bucket as target bucket for bucket logging. this is a security issue.


log snippet:


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 mb s3://hsm1-dest-bkt0
make_bucket: hsm1-dest-bkt0
[root@magna016 ~]#


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3api get-bucket-logging --bucket hsm-src-bkt0
{
    "LoggingEnabled": {
        "TargetBucket": "hsm1-dest-bkt0",
        "TargetPrefix": "hsm-src-bkt0-logs",
        "TargetObjectKeyFormat": {
            "SimplePrefix": {}
        },
        "ObjectRollTime": 120,
        "LoggingType": "Journal",
        "RecordsBatchSize": 0
    }
}
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj4
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj4                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj5
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj5                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj6
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj6                   
[root@magna016 ~]# 
[root@magna016 ~]# radosgw-admin bucket logging flush --bucket hsm-src-bkt0
flushed pending logging object 'hsm-src-bkt0-logs2025-02-12-07-47-46-9PJRX3F043TMUNO8' to target bucket 'hsm1-dest-bkt0'
[root@magna016 ~]# 


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls
2025-02-12 07:45:38 hsm1-dest-bkt0
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls s3://hsm1-dest-bkt0
2025-02-12 07:47:46        318 hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 cp s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
download: s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH to ./hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# 
[root@magna016 ~]# cat hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
hsm hsm-src-bkt0 [12/Feb/2025:07:47:04 +0000] obj4 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:07 +0000] obj5 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:10 +0000] obj6 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
[root@magna016 ~]# 




Version-Release number of selected component (if applicable):
ceph version 19.2.0-53.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a user (user1) and create a bucket (u1_bkt1)
2.create another user (user2) and create a bucket under it (u2_bkt2)
3.put-bucket-logging on u1_bkt1 with target bucket as u2_bkt1. upload few objects into the bucket u1_bkt1, after some time we observe the log object is delivered to u2_bkt1. as we dont have any method to configure permission to allow/deny a bucket being used as target bucket by allowed/denied users, any user can use any user bucket as target bucket.

Actual results:
no permission check to deliver log object to target bucket

Expected results:
expected there should be some configuration settings for log object delivery

Additional info:
logs: https://docs.google.com/document/d/1R9Qol5tNXwNXFQJLpagUdBSyNp7U11YJR67aym_thvg/edit?tab=t.ojj9k1r0ng0n#heading=h.rk3mhpdppc93