Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2293233

Summary: [rgw][sts][sns]: without permission for sns:CreateTopic in role or session policy, create topic operation succeded with sts creds
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, prsrivas, rpollack, tserlin, ylifshit
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:48:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hemanth Sai 2024-06-20 10:46:17 UTC 
Description of problem:
without permission for sns:CreateTopic in role or session policy, create topic operation succeded with sts creds

Version-Release number of selected component (if applicable):
ceph version 18.2.1-194.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a user 
2.add the role capability to the user 'lynna.271'
3.create a role and attach a role policy to allow all s3 actions

[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ radosgw-admin role get --role-name Admin
{
    "RoleId": "e580b100-f2e9-4a45-8390-eceb1f05a1e8",
    "RoleName": "Admin",
    "Path": "/",
    "Arn": "arn:aws:iam:::role/Admin",
    "CreateDate": "2024-06-09T15:12:20.321Z",
    "MaxSessionDuration": 3600,
    "AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/DeleteTest\"]},\"Action\":[\"sts:AssumeRole\"]}]}",
    "PermissionPolicies": [
        {
            "PolicyName": "Admin",
            "PolicyValue": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
        }
    ]
}
[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ 


[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ radosgw-admin role policy get --role-name Admin --policy-name Admin
{
    "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
}
[cephuser@ceph-hsm-71-8j01oc-node6 ~]$


4.Perform the assume role API call Obtain the session token generated from the assume role API call.

[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ aws --endpoint-url http://10.0.208.194:80 sts assume-role --role-arn arn:aws:iam:::role/Admin --role-session-name session20 --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
{
    "Credentials": {
        "AccessKeyId": "SBBVy4les3ZLuRtY4c3",
        "SecretAccessKey": "ADP74M3V7WD8DYV132Y7DKUYV08YO2BM1I1Q5C5",
        "SessionToken": "7F+3izLHdAqm1BaHRCDdgJYfLO0ccVsg75CcPcRzfB1ksoG5e8A7N+CZ/KjH+Ld0pp7H1vCtFG8SPFA4fAIFCh8TpQb3PAdwV054mc7yTOpKInyuB9LH9BUyZWVK3yWE7LytZQQ3jck+Jol4CKXGCNYm1O/3OpomPwalfiGDkebOS/lrxI+HzwA4q74WEYCg3GlasNAEu8VdIcFS/RJOZYj6cFUzxy5JQ9iuWBeFVkxa5Ul6/rbCB5KoOKJoMxRhQs6TjuWDnULAAXNfuNJBLgTYRv1mJVfrHhn70WjENy1q7+dBOIj1NbfeStbVnitXfv+iAhdDetsxeuiTV8tvIhjD6wHa9kMmt2yEjXdEfeom9ywqCwGsgAwdjZOa82/EaiZGjGNGa0J7oRiIFOIkhMMiFTHr3UMTQylxYELjUq68YfxhNEFPu/Kpz9B3QbUJwDw6J7UrBW0bwi/WVFdb+A==",
        "Expiration": "2024-06-20T09:24:40.846272720Z"
    },
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/Admin/session20"
    },
    "PackedPolicySize": 0
}
[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ 


5.Attempt to perform sns create-topic operation

[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ aws  --endpoint-url http://10.0.208.194:80 sns create-topic --name=fishtopic1  --attributes='{"push-endpoint": "kafka://localhost:9092"}'
{
    "TopicArn": "arn:aws:sns:default::fishtopic1"
}
[cephuser@ceph-hsm-71-8j01oc-node6 ~]$ 


Actual results:
sns:CreateTopic is successful with sts creds without being allowed in role or session policy 

Expected results:
sns:CreateTopic should not be successful with sts creds without being allowed in role or session policy 

Additional info:
Comment 11 errata-xmlrpc 2026-01-29 06:48:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536
Comment 12 Red Hat Bugzilla 2026-02-06 04:25:46 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days or the product is inactive and locked