2293141 – [rgw] ratelimit is not enforced after assume-role / role is changed

Bug 2293141 - [rgw] ratelimit is not enforced after assume-role / role is changed

Summary: [rgw] ratelimit is not enforced after assume-role / role is changed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	7.1z1
Assignee:	Matt Benjamin (redhat)
QA Contact:	Vidushi Mishra
Docs Contact:	Akash Raj
URL:
Whiteboard:
Depends On:	2298710
Blocks:	2298711
TreeView+	depends on / blocked

Reported:	2024-06-19 22:50 UTC by Steve Baldwin
Modified:	2024-12-06 04:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ceph-18.2.1-204.el9cp
Doc Type:	Bug Fix
Doc Text:	.Quota and rate limit settings for assume-roles are properly enforced for S3 requests with temporary credentials Previously, information of a user using an assume-role were not loaded successfully from the backend store when temporary credentials were being used to serve an S3 request. As a result, the user quota or rate limit settings were not applied with the temporary credentials. With this fix, the information is loaded from the backend store, even when authenticating with temporary credentials and all settings are applied successfully.
Clone Of:
Clones:	2298710 2298711 (view as bug list)
Environment:
Last Closed:	2024-08-07 11:20:55 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-9202	0	None	None	None	2024-06-19 22:51:53 UTC
Red Hat Product Errata	RHBA-2024:5080	0	None	None	None	2024-08-07 11:21:02 UTC

Description Steve Baldwin 2024-06-19 22:50:20 UTC

Description of problem:

While testing user rate limits and quotas we found that things are enforced properly when using a user's access key + secret directly, but when they assume a role they are no longer limited.  In both cases the user statistics are updated correctly, so all actions are being credited back to the original user as expected and only the rate limit/quota enforcement is being bypassed.


Version-Release number of selected component (if applicable):

ceph 18.2.0-192 / 7.0z2

How reproducible:
Always

Steps to Reproduce (see detailed steps in 1st comment):
-- Create LimitTest user, max ten objects
-- Set quota to 10 objects
-- Set limit to 10 operations / minute
-- Create LimitRole role (Assume policy:)
-- Create role policy that allows all actions

Actual results:
The quota/rate limit is not enforced when role is changed.
Expected results:
The quota/rate limits enforcement should persist when role is changed.

Additional info:

Comment 25 errata-xmlrpc 2024-08-07 11:20:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.1 security and bug fix update.), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:5080

Comment 26 Red Hat Bugzilla 2024-12-06 04:25:11 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.