Bug 1915041 - s3:ListMultipartUploadParts is relied on implicitly
Summary: s3:ListMultipartUploadParts is relied on implicitly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Joel Diaz
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-11 20:05 UTC by Joel Diaz
Modified: 2023-09-15 00:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:51:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 650 0 None closed Bug 1915041: add ListMultipartUploadParts permission 2021-01-18 07:16:44 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:52:13 UTC

Description Joel Diaz 2021-01-11 20:05:41 UTC
Description of problem:
The image registry performs multi-part uploads to S3. To check on the status of these uploads requires the s3:ListMultipartUploadParts permission. This permissions is implicitly granted to the user/credentials who initiated the mutli-part upload.

In the event of a credentials rotation, the image registry could lose the ability to s3:ListMultipartUploadParts.

Version-Release number of selected component (if applicable):

Comment 1 Joel Diaz 2021-01-12 16:57:37 UTC
@obulatov why the retargeting of release? This was discussed with @sdodson yesterday. We wanted to avoid introducing new permissions in 4.7.z with https://github.com/openshift/cluster-image-registry-operator/pull/640 , and the plan was to put the permission in for 4.7.0.

Comment 2 Oleg Bulatov 2021-01-12 17:21:09 UTC
I haven't seen the PR and I didn't expect that my team will have time to fix it in 4.7.0. I'm ok to land it in 4.7.0, thank you for contributions.

Comment 6 Wenjing Zheng 2021-01-19 07:11:23 UTC
$ oc get secrets -n openshift-image-registry installer-cloud-credentials -o yaml | grep ListMultipartUploadParts
    cloudcredential.openshift.io/aws-policy-last-applied: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket","s3:DeleteBucket","s3:PutBucketTagging","s3:GetBucketTagging","s3:PutBucketPublicAccessBlock","s3:GetBucketPublicAccessBlock","s3:PutEncryptionConfiguration","s3:GetEncryptionConfiguration","s3:PutLifecycleConfiguration","s3:GetLifecycleConfiguration","s3:GetBucketLocation","s3:ListBucket","s3:HeadBucket","s3:GetObject","s3:PutObject","s3:DeleteObject","s3:ListBucketMultipartUploads","s3:AbortMultipartUpload","s3:ListMultipartUploadParts"],"Resource":"*"},{"Effect":"Allow","Action":["iam:GetUser"],"Resource":"arn:aws:iam::301721915996:user/qe-ui47-0119-n59pr-openshift-image-registry-v2vd8"}]}'

Comment 9 Wenjing Zheng 2021-01-20 07:45:26 UTC
Thanks for the info, Joel! Verified on 4.7.0-0.nightly-2021-01-19-095812:
1. Check the secret contains : s3:ListMultipartUploadParts: 
$oc get secrets -n openshift-image-registry installer-cloud-credentials -o yaml
2. Delete the secret and IAM user from AWS console https://console.aws.amazon.com/iam/home?region=ap-southeast-1#/users;
3. Check the re-created secret and IAM user: qe-ui47-0120-n2d77-openshift-image-registry-nwz7p : they both contain : s3:ListMultipartUploadParts.

Comment 12 errata-xmlrpc 2021-02-24 15:51:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Comment 13 Red Hat Bugzilla 2023-09-15 00:58:09 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days


Note You need to log in before you can comment on or make changes to this bug.