Bug 1361754 - [RGW-LDAP] :- RGW doesn't differentiate between local user and LDAP user with the same name
Summary: [RGW-LDAP] :- RGW doesn't differentiate between local user and LDAP user wit...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 2.0
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
: 5.1
Assignee: Pritha Srivastava
QA Contact: Tejas
Bara Ancincova
URL:
Whiteboard:
Depends On:
Blocks: 1322504 1383917 1412948 1494421
TreeView+ depends on / blocked
 
Reported: 2016-07-30 05:06 UTC by shylesh
Modified: 2020-12-09 13:18 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.An LDAP user can access buckets created by a local RGW user with the same name The RADOS Object Gateway (RGW) does not differentiate between a local RGW user and an LDAP user with the same name. As a consequence, the LDAP user can access the buckets created by the local RGW user. To work around this issue, use different names for RGW and LDAP users.
Clone Of:
Environment:
Last Closed: 2020-12-09 13:18:36 UTC
Embargoed:

Attachments (Terms of Use)

Description shylesh 2016-07-30 05:06:03 UTC 
Description of problem:
If we have  local rgw user and an LDAP user with the same name then RGW doesn't differentiate between them. so a bucket created by local user will be visible to ldap user. Not sure is this expected behaviour else it will be a security flaw.

Version-Release number of selected component (if applicable):
10.2.2-24redhat1xenial

How reproducible:
Always


Steps to Reproduce:
1.configure rgw , created a local user with name "user1" and create few buckets with keys
2.setup ldap and create an user with same name "user1"
3.from s3 api authenticate ldap user "user1" and try to list buckets

Actual results:
All the buckets of local rgw user "user1" will be listed even though we have userd ldap user's key
Comment 14 Matt Benjamin (redhat) 2018-04-02 12:44:26 UTC 
Pritha's fix has been pending upstream, looks like it can be merged by 4, not needed for 3.x.
Comment 19 Drew Harris 2019-01-31 13:49:55 UTC 
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.
Comment 21 Giridhar Ramaraju 2019-08-05 13:09:00 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 22 Giridhar Ramaraju 2019-08-05 13:10:22 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 24 Yaniv Kaul 2020-07-13 06:14:31 UTC 
We've not fixed this issue in the last 4 years and several releases. No one complained thus far. I suggest close-deferred for the time being.
Comment 25 Yaniv Kaul 2020-12-09 13:18:36 UTC 
(In reply to Yaniv Kaul from comment #24)
> We've not fixed this issue in the last 4 years and several releases. No one
> complained thus far. I suggest close-deferred for the time being.

Closing. Please re-open if relevant.
Note You need to log in before you can comment on or make changes to this bug.