Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1493896

Summary: s3:GetBucketWebsite/PutBucketWebsite fails with 403
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: shilpa <smanjara>
Component: RGWAssignee: Adam C. Emerson <aemerson>
Status: CLOSED ERRATA QA Contact: Persona non grata <nobody+410372>
Severity: medium Docs Contact:
Priority: high    
Version: 3.0CC: anharris, cbodley, ceph-eng-bugs, ceph-qe-bugs, hnallurv, kbader, kdreyer, mbenjamin, owasserm, sweil, tchandra
Target Milestone: rc   
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-12.2.1-4.el7cp Ubuntu: ceph_12.2.1-10redhat1xenial Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-05 23:44:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shilpa 2017-09-21 06:55:33 UTC 
Description of problem:
After setting the policy, configure_website() and get_website_configuration() fail to work.

Version-Release number of selected component (if applicable):
ceph-radosgw-12.2.0-2.el7cp.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a bucket with tenant user testx$tester
2. Write a bucket policy providing s3:GetBucketWebsite/s3:PutBucketWebsite to another user in the same or different tenant
3. After setting the policy, try enabling/getting static website configuration on the bucket

Actual results:
S3ResponseError: 403 Forbidden

Expected results:
Website configuration should work

Additional info:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::testy:user/u2"]},
    "Action": ["s3:ListBucket", "s3:PutObject", "s3:GetBucketWebsite", "s3:PutBucketWebsite"],
    "Resource": [
      "arn:aws:s3::*:s3website",
      "arn:aws:s3::*:s3website/*"
    ]
  }]
}

# s3cmd -c s3test.cfg setpolicy getwebsite  s3://s3website

#s3website.py
website_bucket = conn.get_bucket("testx:s3website")
index_key = website_bucket.new_key('index.html')
index_key.content_type = 'text/html'
index_key.set_contents_from_filename('index.html',policy='public-read')

website_bucket.configure_website('index.html')
website_bucket.get_website_configuration()


Traceback (most recent call last):
  File "s3website.py", line 18, in <module>
    website_bucket.configure_website('index.html')
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>s3website</BucketName>


/testx:s3website/?website
2017-09-20 06:08:51.519574 7f4d7c9b0700 15 server signature=d4Pp9Y6P+U6xJEnTE5ZJxS3XIMg=
2017-09-20 06:08:51.519574 7f4d7c9b0700 15 client signature=d4Pp9Y6P+U6xJEnTE5ZJxS3XIMg=
2017-09-20 06:08:51.519575 7f4d7c9b0700 15 compare=0
2017-09-20 06:08:51.519579 7f4d7c9b0700 20 rgw::auth::s3::LocalEngine granted access
2017-09-20 06:08:51.519580 7f4d7c9b0700 20 rgw::auth::s3::AWSAuthStrategy granted access
2017-09-20 06:08:51.519582 7f4d7c9b0700  2 req 3:0.000126:s3:PUT /testx:s3website/:set_bucket_website:normalizing buckets and tenants
2017-09-20 06:08:51.519585 7f4d7c9b0700 10 s->object=<NULL> s->bucket=testx/s3website
2017-09-20 06:08:51.519587 7f4d7c9b0700  2 req 3:0.000131:s3:PUT /testx:s3website/:set_bucket_website:init permissions
2017-09-20 06:08:51.519603 7f4d7c9b0700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/200
6-03-01/"><Owner><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w
3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Grantee><Permission>FULL_
CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2017-09-20 06:08:51.519702 7f4d7c9b0700  2 req 3:0.000246:s3:PUT /testx:s3website/:set_bucket_website:recalculating target
2017-09-20 06:08:51.519707 7f4d7c9b0700  2 req 3:0.000251:s3:PUT /testx:s3website/:set_bucket_website:reading permissions
2017-09-20 06:08:51.519710 7f4d7c9b0700  2 req 3:0.000253:s3:PUT /testx:s3website/:set_bucket_website:init op
2017-09-20 06:08:51.519711 7f4d7c9b0700  2 req 3:0.000255:s3:PUT /testx:s3website/:set_bucket_website:verifying op mask
2017-09-20 06:08:51.519713 7f4d7c9b0700 20 required_mask= 2 user.op_mask=7
2017-09-20 06:08:51.519714 7f4d7c9b0700  2 req 3:0.000258:s3:PUT /testx:s3website/:set_bucket_website:verifying op permissions
2017-09-20 06:08:51.519716 7f4d7c9b0700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13
2017-09-20 06:08:51.519873 7f4d7c9b0700  2 req 3:0.000417:s3:PUT /testx:s3website/:set_bucket_website:op status=0
2017-09-20 06:08:51.519879 7f4d7c9b0700  2 req 3:0.000422:s3:PUT /testx:s3website/:set_bucket_website:http status=403
2017-09-20 06:08:51.519882 7f4d7c9b0700  1 ====== req done req=0x7f4d7c9aa190 op status=0 http_status=403 ======
2017-09-20 06:08:51.519891 7f4d7c9b0700 20 process_request() returned -13

File "s3website.py", line 19, in <module>
    website_bucket.get_website_configuration()
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><BucketName>s3website</BucketName>
Comment 3 Adam C. Emerson 2017-09-28 18:22:36 UTC 
Here, have a PR. https://github.com/ceph/ceph/pull/18024
Comment 15 errata-xmlrpc 2017-12-05 23:44:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3387