Bug 1989752 - s3 object lock: PutObjectRetention allows invalid changes to retention mode
Summary: s3 object lock: PutObjectRetention allows invalid changes to retention mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 5.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 5.0
Assignee: Casey Bodley
QA Contact: Tejas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-03 21:26 UTC by Casey Bodley
Modified: 2021-09-21 11:09 UTC (History)
10 users (show)

Fixed In Version: ceph-16.2.0-112.el8cp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-30 08:31:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 52037 0 None None None 2021-08-03 21:26:00 UTC
Github ceph ceph pull 42505 0 None None None 2021-08-03 21:26:00 UTC
Red Hat Product Errata RHBA-2021:3294 0 None None None 2021-08-30 08:32:05 UTC

Description Casey Bodley 2021-08-03 21:26:00 UTC 
Description of problem:

the PutObjectRetention operation allows changes to the Retention Mode that aren't permitted by AWS S3

notably, rgw allows the retention mode to be changed from COMPLIANCE to GOVERNANCE, which is an unintended workaround that allows the deletion of objects locked in COMPLIANCE mode

from https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html
> In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

rgw also allows the GOVERNANCE mode to be changed to COMPLIANCE without checking for governance bypass permissions. from that same document:
> To override or remove governance-mode retention settings, a user must have the s3:BypassGovernanceRetention permission and must explicitly include x-amz-bypass-governance-retention:true as a request header with any request that requires overriding governance mode. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. create a bucket with object lock enabled
2. upload an object with ObjectLockMode='GOVERNANCE' or 'COMPLIANCE'
3. use the PutObjectRetention api to change the retention mode

Actual results:

PutObjectRetention returns success and changes the retention mode (as long as the new retention date is not earlier than the existing date)

Expected results:

PutObjectRetention returns 403 AccessDenied on invalid changes to retention mode

Additional info:
Comment 1 RHEL Program Management 2021-08-03 21:26:06 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 12 errata-xmlrpc 2021-08-30 08:31:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 5.0 bug fix and enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3294
Note You need to log in before you can comment on or make changes to this bug.