2007335 – rgw: With policy specifying invalid arn, users can list content of any bucket

Bug 2007335 - rgw: With policy specifying invalid arn, users can list content of any bucket

Summary: rgw: With policy specifying invalid arn, users can list content of any bucket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	4.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	4.2z3
Assignee:	Pritha Srivastava
QA Contact:	Vidushi Mishra
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2008858 2008860
TreeView+	depends on / blocked

Reported:	2021-09-23 15:22 UTC by Pritha Srivastava
Modified:	2021-09-29 11:34 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ceph-14.2.11-199.el8cp, ceph-14.2.11-199.el7cp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2007451 2008858 2008860 (view as bug list)
Environment:
Last Closed:	2021-09-27 18:26:55 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 41931	None	open	rgw/sts: code for returning an error when an IAM policy	2021-09-23 15:22:22 UTC
Red Hat Issue Tracker	RHCEPH-1874	None	None	None	2021-09-23 15:23:56 UTC
Red Hat Product Errata	RHBA-2021:3670	None	None	None	2021-09-27 18:27:00 UTC

Description Pritha Srivastava 2021-09-23 15:22:23 UTC

From upstream tracker:



Hi

I have a role with permission policy like below

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"this-is-not-arn-bla-bla" 
    }
    ]
}

or

{
    "Version":"2012-10-17","Statement":[
    {
        "Effect":"Allow","Action":["s3:ListBucket"],"Resource":"barn:aws:s3:::nonexisting-bucket" 
    }
    ]
}

User after assuming the role can execute head-bucket or list-bucket s3api operation on every bucket in the tenant without getting error 403 as expected
If I specify Resource as a valid ARN (even if bucket does not exist) e.g. arn:aws:s3:::my-valid-bucket

then user can list content of that bucket only, as expected. Attempt to access any other bucket returns 403.


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 RHEL Program Management 2021-09-23 15:22:30 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 17 errata-xmlrpc 2021-09-27 18:26:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 4.2 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3670

Note You need to log in before you can comment on or make changes to this bug.