2252792 – rgw: object lock: governance mode override can be bypassed for multipart upload objects

Bug 2252792 - rgw: object lock: governance mode override can be bypassed for multipart upload objects

Summary: rgw: object lock: governance mode override can be bypassed for multipart uplo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	6.1z3
Assignee:	Matt Benjamin (redhat)
QA Contact:	Tejas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2253258
TreeView+	depends on / blocked

Reported:	2023-12-04 17:46 UTC by Matt Benjamin (redhat)
Modified:	2023-12-12 13:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ceph-17.2.6-167.el9cp
Doc Type:	Bug Fix
Doc Text:	Cause: Requested object-lock governance information provided with new multipart uploads was not persisted with the uploaded part information, permitting the governance to be bypassed after the upload completed. Consequence: A violation of data retention policy was possible, for multipart uploaded objects. Fix: Object lock parameters are persisted with part upload information and checked at completion, such that there is no window to bypass governance. Result:
Clone Of:
Clones:	2253258 (view as bug list)
Environment:
Last Closed:	2023-12-12 13:56:16 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	63724	None	None	None	2023-12-04 17:46:03 UTC
Red Hat Issue Tracker	RHCEPH-8000	None	None	None	2023-12-04 17:47:57 UTC
Red Hat Product Errata	RHSA-2023:7740	None	None	None	2023-12-12 13:56:22 UTC

Description Matt Benjamin (redhat) 2023-12-04 17:46:03 UTC

Description of problem:

As in tracker.

"The result of the script is as follows. Even if object locks are set on the bucket, objects uploaded through multipart upload can still be deleted"

Comment 1 RHEL Program Management 2023-12-04 17:46:11 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 7 errata-xmlrpc 2023-12-12 13:56:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7740

Note You need to log in before you can comment on or make changes to this bug.