Bug 2284154 - [IBM Support] S3 session policy behavior on batch deletes returns AccessDenied for all keys
Summary: [IBM Support] S3 session policy behavior on batch deletes returns AccessDenie...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 8.0
Assignee: Matt Benjamin (redhat)
QA Contact: Hemanth Sai
URL:
Whiteboard:
Depends On: 2284153 2298712
Blocks: 2317218
TreeView+ depends on / blocked
 
Reported: 2024-05-31 20:07 UTC by Mike Hackett
Modified: 2024-11-25 09:01 UTC (History)
9 users (show)

Fixed In Version: ceph-19.1.1-49.el9cp
Doc Type: Bug Fix
Doc Text:
.Batch object deleting is now allowed, with IAM policy permissions Previously, during a batch delete process, also known as multi object delete, due to the incorrect evaluation of IAM policies returned `AccessDenied` output if no explicit or implicit deny were present. The `AccessDenied` occurred even if there were Allow privileges. As a result, batch deleting fails with the `AccessDenied` error. With this fix, the policies are evaluated as expected and batch deleting succeeds, when IAM policies are enabled.
Clone Of: 2284153
Environment:
Last Closed: 2024-11-25 09:01:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-9121 0 None None None 2024-05-31 20:07:52 UTC
Red Hat Product Errata RHBA-2024:10216 0 None None None 2024-11-25 09:01:40 UTC

Description Mike Hackett 2024-05-31 20:07:32 UTC 
+++ This bug was initially created as a clone of Red HatBug #2284153 +++

Description of problem:
The customer exclusively uses STS/IAM roles for access to buckets and objects.  In addition, they use session policies provided to AssumeRole calls to scope session permissions for our users.
They are observing that when they provide a session policy of any kind, including one that provides all permissions, then the DeleteObjects call (batch delete) always returns AccessDenied for all keys.  When they try to delete the same objects with DeleteObject (single delete) it works, so there is something about the batch delete operation that is impacting the access check as the policy does provide delete access to the objects in question.
If they do the same operations with the same policy as role policy instead of session policy all operations pass as expected.  The customer needs to get to the root cause of the permission discrepancy when using session policies for this API as this is critical to their use case of multi-user shared buckets with dynamic permissions.

Version-Release number of selected component (if applicable):
IBM Storage Ceph 7.0

How reproducible:
Consistently

Steps to Reproduce:
Customer provided scripts that will be attached to BZ to reproduce

Actual results:
Batch delete do not function.

Expected results:
Batch delete should function as expected with session policy.

Additional info:
Comment 5 errata-xmlrpc 2024-11-25 09:01:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216
Note You need to log in before you can comment on or make changes to this bug.