Description of problem: After setting the policy, get_location() on the bucket fails to work. Version-Release number of selected component (if applicable): ceph-radosgw-12.2.0-2.el7cp.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a bucket with tenant user testx$tester 2. Write a bucket policy providing s3:GetBucketLocation to another user in the same or different tenant 3. After setting the policy, try doing a get_location() on the bucket with the permitted user credentials. Actual results: S3ResponseError: 403 Forbidden Additional info: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::testy:user/u2"]}, "Action": ["s3:ListBucket", "s3:GetBucketLocation"], "Resource": [ "arn:aws:s3::*:location-bucket", "arn:aws:s3::*:location-bucket/*" ] }] } b = conn.get_bucket("testx:location-bucket") print b.get_location() # python getlocation.py <Bucket: testx:location-bucket> Traceback (most recent call last): File "getlocation.py", line 15, in <module> print b.get_location() File "/usr/lib/python2.7/site-packages/boto/s3/bucket.py", line 1146, in get_location response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden Logs: /testx:location-bucket/?location 2017-09-21 07:44:01.212109 7f5fe2ee4700 15 server signature=vCSDLCGJa9zyZZ8tGy5vVLjgtic= 2017-09-21 07:44:01.212110 7f5fe2ee4700 15 client signature=vCSDLCGJa9zyZZ8tGy5vVLjgtic= 2017-09-21 07:44:01.212111 7f5fe2ee4700 15 compare=0 2017-09-21 07:44:01.212115 7f5fe2ee4700 20 rgw::auth::s3::LocalEngine granted access 2017-09-21 07:44:01.212116 7f5fe2ee4700 20 rgw::auth::s3::AWSAuthStrategy granted access 2017-09-21 07:44:01.212118 7f5fe2ee4700 2 req 16:0.000119:s3:GET /testx:location-bucket/:get_bucket_location:normalizing buckets and tenant s 2017-09-21 07:44:01.212121 7f5fe2ee4700 10 s->object=<NULL> s->bucket=testx/location-bucket 2017-09-21 07:44:01.212123 7f5fe2ee4700 2 req 16:0.000125:s3:GET /testx:location-bucket/:get_bucket_location:init permissions 2017-09-21 07:44:01.212139 7f5fe2ee4700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/200 6-03-01/"><Owner><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w 3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Grantee><Permission>FULL_ CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy> 2017-09-21 07:44:01.212204 7f5fe2ee4700 2 req 16:0.000205:s3:GET /testx:location-bucket/:get_bucket_location:recalculating target 2017-09-21 07:44:01.212204 7f5fe2ee4700 2 req 16:0.000205:s3:GET /testx:location-bucket/:get_bucket_location:recalculating target 2017-09-21 07:44:01.212209 7f5fe2ee4700 2 req 16:0.000210:s3:GET /testx:location-bucket/:get_bucket_location:reading permissions 2017-09-21 07:44:01.212211 7f5fe2ee4700 2 req 16:0.000213:s3:GET /testx:location-bucket/:get_bucket_location:init op 2017-09-21 07:44:01.212213 7f5fe2ee4700 2 req 16:0.000214:s3:GET /testx:location-bucket/:get_bucket_location:verifying op mask 2017-09-21 07:44:01.212214 7f5fe2ee4700 20 required_mask= 1 user.op_mask=7 2017-09-21 07:44:01.212216 7f5fe2ee4700 2 req 16:0.000217:s3:GET /testx:location-bucket/:get_bucket_location:verifying op permissions 2017-09-21 07:44:01.212218 7f5fe2ee4700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13 2017-09-21 07:44:01.212355 7f5fe2ee4700 2 req 16:0.000356:s3:GET /testx:location-bucket/:get_bucket_location:op status=0 2017-09-21 07:44:01.212360 7f5fe2ee4700 2 req 16:0.000362:s3:GET /testx:location-bucket/:get_bucket_location:http status=403 2017-09-21 07:44:01.212363 7f5fe2ee4700 1 ====== req done req=0x7f5fe2ede190 op status=0 http_status=403 ====== 2017-09-21 07:44:01.212373 7f5fe2ee4700 20 process_request() returned -13
Fix at https://github.com/ceph/ceph/pull/18002
After setting policy of get_location for user from same tenant and different tenant. I got the following: For same tenant's user, was not able access the bucket itself, thus get_location was not successful. For user from different tenant, get_location was working good. Moving to assigned.
Please double check that your policy in the same-tenant configuration includes ListBucket. Boto issues a HEAD request for its get_bucket call that requires that permission. In principle a client could just submit the GET/PUT calls without issuing a head first but the Boto library makes that requirement.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3387