1891117 – Adding public-read policy to bucket prevents subsequent authenticated access

Bug 1891117 - Adding public-read policy to bucket prevents subsequent authenticated access

Summary: Adding public-read policy to bucket prevents subsequent authenticated access

Keywords:
Status:	CLOSED DUPLICATE of bug 1889683
Alias:	None
Product:	Red Hat OpenShift Container Storage
Classification:	Red Hat Storage
Component:	Multi-Cloud Object Gateway
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Nimrod Becker
QA Contact:	Raz Tamir
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-23 19:46 UTC by Lars Kellogg-Stedman
Modified:	2020-10-27 05:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-26 16:13:16 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lars Kellogg-Stedman 2020-10-23 19:46:17 UTC

Description of problem (please be detailed as possible and provide log
snippests):

I have created a bucket in Noobaa with the following OBC:

    apiVersion: objectbucket.io/v1alpha1
    kind: ObjectBucketClaim
    metadata:
      name: example-noobaa
    spec:
      generateBucketName: example
      storageClassName: openshift-storage.noobaa.io

This results in a bucket named example-<suffix>, e.g:

  $ oc get configmap example-noobaa -o jsonpath={.data.BUCKET_NAME}
  example-5c934e7d-fba1-46c6-997d-d699229f87df

I would like to grant public read access to this bucket. I am applying the following policy:

    {
      "Version":"2012-10-17",
      "Statement":[
	{
	  "Sid":"PublicRead",
	  "Effect":"Allow",
	  "Principal": "*",
	  "Action":["s3:GetObject", "s3:GetObjectVersion"],
	  "Resource":["arn:aws:s3:::example-5c934e7d-fba1-46c6-997d-d699229f87df/*"]
	}
      ]
    }

Using the aws-cli command:

  $ aws-cli s3api --endpoint https://s3-openshift-storage.apps.cnv.massopen.cloud put-bucket-policy --bucket example-5c934e7d-fba1-46c6-997d-d699229f87df --policy file://policy-noobaa.json

The policy applies successfully, but after this I no longer have normal authenticated access to the bucket:

  $ aws-cli s3 --endpoint https://s3-openshift-storage.apps.cnv.massopen.cloud ls  s3://example-5c934e7d-fba1-46c6-997d-d699229f87df
  An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

If I perform the same sequence of actions using the S3 interface provided by Ceph's radosgw endpoint, it works as expected (I continue to have authenticated access to the bucket even after setting a public-read policy).


Version of all relevant components (if applicable):

OCS 4.5.1 on OCP 4.5.14

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

It makes working with Noobaa-managed buckets largely impossible.

Is there any workaround available to the best of your knowledge?

We've exposed the Ceph RGW endpoint publically and we're working with that instead of Noobaa.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?

3

Can this issue reproducible?

Yes

Can this issue reproduce from the UI?

No

Actual results:

I lost authenticated access to an object bucket after applying a public read policy.

Expected results:

I expected to continue to have access to the bucket.

Comment 3 Lars Kellogg-Stedman 2020-10-26 15:36:15 UTC

> Did you use 4.5 as stated in the BZ?

Yes, this is with OCS 4.5.1. I don't believe 4.6 has been released yet?

Note You need to log in before you can comment on or make changes to this bug.