Description of problem: Create a bucket with a tenant user. Set bucket policy to give permission to another user from same or different tenant to GetBucketVersioning/PutBucketVersioning. It fails with 403 forbidden error. Version-Release number of selected component (if applicable): ceph-radosgw-12.2.0-2.el7cp.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a bucket with tenant user testx$tester 2. Write a bucket policy providing s3:GetBucketVersioning/s3:PutBucketVersioning to another user in the same or different tenant 3. After setting the policy, try enabling/getting bucket versioning on the bucket. Actual results: S3ResponseError: 403 Forbidden Expected results: Enabling versioning and get versioning should work Additional info: 1. #vi versioning { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::testx:user/u3"]}, "Action": ["s3:ListBucket","s3:PutBucketPolicy","s3:GetBucketPolicy","s3:GetBucketVersioning"], "Resource": [ "arn:aws:s3::*:my-new-bucket", "arn:aws:s3::*:my-new-bucket/*" ] }] } 2. With s3cmd being configured with bucket owner credentials: # s3cmd -c s3test.cfg setpolicy versioning s3://my-new-bucket 3. Script to enable/get versioning on the bucket # vi versioning.py import boto import boto.s3.connection conn = boto.connect_s3( aws_access_key_id = 'NIHE7N6F2A87AK3DQY2L', aws_secret_access_key = 'xfO8MogHIkQoMh1qbTvCILuCZV2ta5P6exjwk1FD', host = 'magnaxxx', port = 8080, is_secure=False, calling_format = boto.s3.connection.OrdinaryCallingFormat(), ) b = conn.get_bucket("testx:my-new-bucket") b.configure_versioning(True) print b.get_versioning_status() # python versioning.py <Bucket: testx:my-new-bucket> Traceback (most recent call last): File "versioning.py", line 15, in <module> b.configure_versioning(True) File "/usr/lib/python2.7/site-packages/boto/s3/bucket.py", line 1308, in configure_versioning response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>my-new-bucket</BucketName><RequestId>tx00000000000000000003a-0059b64a2a-5e2b-us-east</RequestId><HostId>5e2b-us-east-us</HostId></Error> Errors from log: /testx:my-new-bucket/?versioning 2017-09-11 08:32:42.627031 7fa767688700 15 server signature=Xh+B5726L4LlSOrerOrrQi+Tuco= 2017-09-11 08:32:42.627032 7fa767688700 15 client signature=Xh+B5726L4LlSOrerOrrQi+Tuco= 2017-09-11 08:32:42.627032 7fa767688700 15 compare=0 2017-09-11 08:32:42.627037 7fa767688700 20 rgw::auth::s3::LocalEngine granted access 2017-09-11 08:32:42.627038 7fa767688700 20 rgw::auth::s3::AWSAuthStrategy granted access 2017-09-11 08:32:42.627040 7fa767688700 2 req 58:0.000121:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:normalizing buckets and tenant s 2017-09-11 08:32:42.627043 7fa767688700 10 s->object=<NULL> s->bucket=testx/my-new-bucket 2017-09-11 08:32:42.627046 7fa767688700 2 req 58:0.000127:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:init permissions 2017-09-11 08:32:42.627061 7fa767688700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/200 6-03-01/"><Owner><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w 3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Grantee><Permission>FULL_ CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy> 2017-09-11 08:32:42.627151 7fa767688700 2 req 58:0.000232:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:recalculating target 2017-09-11 08:32:42.627156 7fa767688700 2 req 58:0.000237:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:reading permissions 2017-09-11 08:32:42.627158 7fa767688700 2 req 58:0.000239:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:init op 2017-09-11 08:32:42.627160 7fa767688700 2 req 58:0.000241:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:verifying op mask 2017-09-11 08:32:42.627161 7fa767688700 20 required_mask= 2 user.op_mask=7 2017-09-11 08:32:42.627163 7fa767688700 2 req 58:0.000244:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:verifying op permissions 2017-09-11 08:32:42.627166 7fa767688700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13 2017-09-11 08:32:42.627218 7fa767688700 2 req 58:0.000299:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:op status=0 2017-09-11 08:32:42.627224 7fa767688700 2 req 58:0.000305:s3:PUT /testx:my-new-bucket/:set_bucket_versioning:http status=403 2017-09-11 08:32:42.627226 7fa767688700 1 ====== req done req=0x7fa767682190 op status=0 http_status=403 ====== 2017-09-11 08:32:42.627236 7fa767688700 20 process_request() returned -13
s3:PutBucketRequestPayment policy fails with the same error. Policy used: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::testy:user/tester"]}, "Action": ["s3:ListBucket","s3:PutBucketRequestPayment"], "Resource": [ "arn:aws:s3::*:my-new-bucket", "arn:aws:s3::*:my-new-bucket/*" ] }] }
Hi Shilpa, The 'b.configure_versioning(True)' fails because the policy doesn't allow the 's3:PutBucketVersioning' action. For the BucketRequestPayment ops, it does look like we're missing the code to check policy. I created an upstream tracker for this bug at http://tracker.ceph.com/issues/21389. Thanks!
Someone assign this to me so I can edit it.
Prospective fix in https://github.com/ceph/ceph/pull/17742
The fix is currently undergoing upstream QA.
The upstream tracker for the payment processing bug is: http://tracker.ceph.com/issues/21389 And the upstream PR is: https://github.com/ceph/ceph/pull/17742
Here, For different tenants, this issue is fixed. I found this issue with same tenant in which, after setting policy for user2 in tenant1, user2 is not able to get Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 509, in get_bucket return self.head_bucket(bucket_name, headers=headers) File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 542, in head_bucket raise err boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden Moving back to Assigned
In your traceback the error is in get_backet which executes a HEAD on the bucket, this requires ListBucket permissions. When I try get/put Version with a user in the same tenant it works fine. Can you recheck your policy/authentication?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3387