Comment 13Persona non grata
2017-10-12 11:53:41 UTC
After setting policy of set_cors for user from same tenant and different tenant.
I got the following:
For same tenant's user, was not able access the bucket itself, thus set_cors and get_cors were not successful.
For user from different tenant, get_cors and was able to set_cors ,both were working good.
Moving to assigned.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:3387
Description of problem: After setting the policy, set_cors_xml()/set_cors() or get_cors_xml()/get_cors() fail to work. Version-Release number of selected component (if applicable): ceph-radosgw-12.2.0-2.el7cp.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a bucket with tenant user testx$tester 2. Write a bucket policy providing s3:GetBucketCORS/s3:PutBucketCORS to another user in the same or different tenant 3. After setting the policy, try setting/getting CORS configuration on the bucket using the permitted user credentials Actual results: S3ResponseError: 403 Forbidden Expected results: Should successfully allow the user to set/get CORS configuration. Additional info: Bucket policy: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::testy:user/u2"]}, "Action": ["s3:ListBucket", "s3:GetBucketCORS", "s3:PutBucketCORS"], "Resource": [ "arn:aws:s3::*:my-bucket", "arn:aws:s3::*:my-bucket/*" ] }] } # s3cmd -c s3test.cfg setpolicy getputcors s3://my-bucket Boto script with the user credentials of testy$u2: b = conn.get_bucket("testx:my-bucket") cors_conf = """ <CORSConfiguration> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>PUT</AllowedMethod> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>DELETE</AllowedMethod> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration> """ b.set_cors_xml(cors_conf) print b.get_cors() -------------------------- File "getputcors.py", line 29, in <module> print b.get_cors() File "/usr/lib/python2.7/site-packages/boto/s3/bucket.py", line 1668, in get_cors body = self.get_cors_xml(headers) File "/usr/lib/python2.7/site-packages/boto/s3/bucket.py", line 1658, in get_cors_xml response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden # python getputcors.py <Bucket: testx:my-bucket> Traceback (most recent call last): File "getputcors.py", line 28, in <module> b.set_cors_xml(cors_conf) File "/usr/lib/python2.7/site-packages/boto/s3/bucket.py", line 1632, in set_cors_xml response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden --------------------------- Logs: /testx:my-bucket/?cors 2017-09-21 14:19:40.255469 7f5fdd6d9700 15 server signature=5hlNTYhGw8mEx0btGPtyZjtHUPU= 2017-09-21 14:19:40.255470 7f5fdd6d9700 15 client signature=5hlNTYhGw8mEx0btGPtyZjtHUPU= 2017-09-21 14:19:40.255472 7f5fdd6d9700 15 compare=0 2017-09-21 14:19:40.255477 7f5fdd6d9700 20 rgw::auth::s3::LocalEngine granted access 2017-09-21 14:19:40.255479 7f5fdd6d9700 20 rgw::auth::s3::AWSAuthStrategy granted access 2017-09-21 14:19:40.255483 7f5fdd6d9700 2 req 34:0.000179:s3:GET /testx:my-bucket/:get_cors:normalizing buckets and tenants 2017-09-21 14:19:40.255488 7f5fdd6d9700 10 s->object=<NULL> s->bucket=testx/my-bucket 2017-09-21 14:19:40.255493 7f5fdd6d9700 2 req 34:0.000188:s3:GET /testx:my-bucket/:get_cors:init permissions 2017-09-21 14:19:40.255518 7f5fdd6d9700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/200 6-03-01/"><Owner><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w 3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>testx$tester</ID><DisplayName>Test User</DisplayName></Grantee><Permission>FULL_ CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy> 2017-09-21 14:19:40.255603 7f5fdd6d9700 2 req 34:0.000299:s3:GET /testx:my-bucket/:get_cors:recalculating target 2017-09-21 14:19:40.255609 7f5fdd6d9700 2 req 34:0.000305:s3:GET /testx:my-bucket/:get_cors:reading permissions 2017-09-21 14:19:40.255612 7f5fdd6d9700 2 req 34:0.000308:s3:GET /testx:my-bucket/:get_cors:init op 2017-09-21 14:19:40.255615 7f5fdd6d9700 2 req 34:0.000311:s3:GET /testx:my-bucket/:get_cors:verifying op mask 2017-09-21 14:19:40.255618 7f5fdd6d9700 20 required_mask= 1 user.op_mask=7 2017-09-21 14:19:40.255620 7f5fdd6d9700 2 req 34:0.000316:s3:GET /testx:my-bucket/:get_cors:verifying op permissions 2017-09-21 14:19:40.255624 7f5fdd6d9700 20 op->ERRORHANDLER: err_no=-13 new_err_no=-13 2017-09-21 14:19:40.255804 7f5fdd6d9700 2 req 34:0.000500:s3:GET /testx:my-bucket/:get_cors:op status=0 2017-09-21 14:19:40.255810 7f5fdd6d9700 2 req 34:0.000506:s3:GET /testx:my-bucket/:get_cors:http status=403 2017-09-21 14:19:40.255814 7f5fdd6d9700 1 ====== req done req=0x7f5fdd6d3190 op status=0 http_status=403 ====== 2017-09-21 14:19:40.255829 7f5fdd6d9700 20 process_request() returned -13