Bug 2345305

Summary: [rgw][server-access-logging][RFE]: add support for configuring permission for a bucket to be used as a target bucket for log object delivery
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Yuval Lifshitz <ylifshit>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin, ylifshit
Target Milestone: ---Keywords: FutureFeature
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-107.el9cp Doc Type: Bug Fix
Doc Text:
.Target buckets now needs a bucket policy for users to write logs to them Previously, no permission checks were run on the target bucket for bucket logging. As a result, any user could write logs to a target bucket, without needing specific permissions. With this fix, a bucket policy must be added on a target to allow specific users to write logs to them.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-26 12:25:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2351689    

Description Hemanth Sai 2025-02-12 17:45:09 UTC 
Description of problem:
add support for configuring permission to allow a bucket being used as a target bucket for log delivery
Currently I can configure bucket logging on a bucket with target bucket as another user bucket also. without any access another users can use my bucket as target bucket for bucket logging. this is a security issue.


log snippet:


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 mb s3://hsm1-dest-bkt0
make_bucket: hsm1-dest-bkt0
[root@magna016 ~]#


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3api get-bucket-logging --bucket hsm-src-bkt0
{
    "LoggingEnabled": {
        "TargetBucket": "hsm1-dest-bkt0",
        "TargetPrefix": "hsm-src-bkt0-logs",
        "TargetObjectKeyFormat": {
            "SimplePrefix": {}
        },
        "ObjectRollTime": 120,
        "LoggingType": "Journal",
        "RecordsBatchSize": 0
    }
}
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj4
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj4                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj5
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj5                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj6
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj6                   
[root@magna016 ~]# 
[root@magna016 ~]# radosgw-admin bucket logging flush --bucket hsm-src-bkt0
flushed pending logging object 'hsm-src-bkt0-logs2025-02-12-07-47-46-9PJRX3F043TMUNO8' to target bucket 'hsm1-dest-bkt0'
[root@magna016 ~]# 


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls
2025-02-12 07:45:38 hsm1-dest-bkt0
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls s3://hsm1-dest-bkt0
2025-02-12 07:47:46        318 hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 cp s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
download: s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH to ./hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# 
[root@magna016 ~]# cat hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
hsm hsm-src-bkt0 [12/Feb/2025:07:47:04 +0000] obj4 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:07 +0000] obj5 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:10 +0000] obj6 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
[root@magna016 ~]# 




Version-Release number of selected component (if applicable):
ceph version 19.2.0-53.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a user (user1) and create a bucket (u1_bkt1)
2.create another user (user2) and create a bucket under it (u2_bkt2)
3.put-bucket-logging on u1_bkt1 with target bucket as u2_bkt1. upload few objects into the bucket u1_bkt1, after some time we observe the log object is delivered to u2_bkt1. as we dont have any method to configure permission to allow/deny a bucket being used as target bucket by allowed/denied users, any user can use any user bucket as target bucket.

Actual results:
no permission check to deliver log object to target bucket

Expected results:
expected there should be some configuration settings for log object delivery

Additional info:
logs: https://docs.google.com/document/d/1R9Qol5tNXwNXFQJLpagUdBSyNp7U11YJR67aym_thvg/edit?tab=t.ojj9k1r0ng0n#heading=h.rk3mhpdppc93
Comment 8 errata-xmlrpc 2025-06-26 12:25:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775