Description of problem: Session policies are not evaluated correctly in RGW currently. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create a role and attach a permission policy to the role. 2. Pass a session policy to AssumeRole* call, which grants more permission than the permission policy. 3. Test the temporary credentials to perform s3 operations. Actual results: The temporary credentials have permission which is more than the permission granted by Role permission policy. Expected results: Session policies can only restrict the permissions granted by role's permission policy. Additional info:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3670