From upstream tracker: Hi I have a role with permission policy like below { "Version":"2012-10-17","Statement":[ { "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla" } ] } or { "Version":"2012-10-17","Statement":[ { "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket" } ] } User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403. Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3670