Bug 1361754 - [RGW-LDAP] :- RGW doesn't differentiate between local user and LDAP user with the same name
Summary: [RGW-LDAP] :- RGW doesn't differentiate between local user and LDAP user wit...
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.0
Hardware: x86_64
OS: Unspecified
Target Milestone: rc
: 5.0
Assignee: Pritha Srivastava
QA Contact: ceph-qe-bugs
Bara Ancincova
Keywords: Reopened, Triaged
Depends On:
Blocks: 1322504 1383917 1412948 1494421
TreeView+ depends on / blocked
Reported: 2016-07-30 05:06 UTC by shylesh
Modified: 2019-06-17 02:30 UTC (History)
9 users (show)

.An LDAP user can access buckets created by a local RGW user with the same name

The RADOS Object Gateway (RGW) does not differentiate between a local RGW user and an LDAP user with the same name. As a consequence, the LDAP user can access the buckets created by the local RGW user.

To work around this issue, use different names for RGW and LDAP users.
Clone Of:
Last Closed: 2019-01-31 13:49:55 UTC

Attachments (Terms of Use)

Description shylesh 2016-07-30 05:06:03 UTC
Description of problem:
If we have  local rgw user and an LDAP user with the same name then RGW doesn't differentiate between them. so a bucket created by local user will be visible to ldap user. Not sure is this expected behaviour else it will be a security flaw.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.configure rgw , created a local user with name "user1" and create few buckets with keys
2.setup ldap and create an user with same name "user1"
3.from s3 api authenticate ldap user "user1" and try to list buckets

Actual results:
All the buckets of local rgw user "user1" will be listed even though we have userd ldap user's key

Comment 14 Matt Benjamin (redhat) 2018-04-02 12:44:26 UTC
Pritha's fix has been pending upstream, looks like it can be merged by 4, not needed for 3.x.

Comment 19 Drew Harris 2019-01-31 13:49:55 UTC
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.

Note You need to log in before you can comment on or make changes to this bug.