Bug 2299642 - [CEE] CORS ACL's prevents access to buckets with presigned PUT URI's
Summary: [CEE] CORS ACL's prevents access to buckets with presigned PUT URI's
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 7.1
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
: 8.0
Assignee: Matt Benjamin (redhat)
QA Contact: Hemanth Sai
URL:
Whiteboard:
Depends On:
Blocks: 2302281 2317218
TreeView+ depends on / blocked
 
Reported: 2024-07-24 07:21 UTC by Michaela Lang
Modified: 2025-01-31 07:34 UTC (History)
10 users (show)

Fixed In Version: ceph-19.1.0-2.el9cp
Doc Type: Bug Fix
Doc Text:
.Pre-signed URLs are now accepted with Keystone EC2 authentication Previously, a properly constructed pre-signed HTTP PUT URLs failed unexpectedly, with a `403/Access Denied` error. This happened because of a change in processing of HTTP OPTIONS requests containing CORS changed the implied AWSv4 request signature calculation for some pre-signed URLs when authentication was through Keystone EC2 (Swift S3 emulation). With this fix, a new workflow for CORS HTTP OPTIONS is introduced for the Keystone EC2 case and pre-signed URLs no longer unexpectedly fail.
Clone Of:
: 2302281 (view as bug list)
Environment:
Last Closed: 2024-11-25 09:03:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-9396 0 None None None 2024-07-24 07:23:53 UTC
Red Hat Knowledge Base (Solution) 7084669 0 None None None 2024-08-28 18:01:06 UTC
Red Hat Product Errata RHBA-2024:10216 0 None None None 2024-11-25 09:03:52 UTC

Description Michaela Lang 2024-07-24 07:21:32 UTC 
Description of problem:
As described in upstream https://tracker.ceph.com/issues/64308 having CORS set on the bucket and adding CORS headers to presigned PUT requests fails with 403 due to the header `x-amz-acl` not being considered when signing.


Version-Release number of selected component (if applicable):
7.1 (upstream  17.2.7+ based)

How reproducible:
everytime 

Steps to Reproduce:
1. set bucket acl
```
aws s3api put-bucket-acl --bucket=<user> --cors-configuration='{"CORSRules":[{"AllowedHeaders":["Authorization"],"AllowedMethods":["GET","PUT"],"AllowedOrigins":["example.com"],"ExposeHeaders":["ETag","x-amz-request-id"],"MaxAgeSeconds":3000}]}'
```

2. create presigned put uri
```
presigned = s3.generate_presigned_url(
    ClientMethod="put_object",
    HttpMethod='PUT',
    Params={
        "Bucket": "bucket",
        "Key": "test",
        "ACL": "private",
    },
)
```

3. use curl with CORS headers to post content

```
curl -X PUT 'https://s3.example.com/user1/plain-test?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=user1%2F20240724%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240724T070246Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host%3Bx-amz-acl&X-Amz-Signature=6d2f5ca1845c5fb71890588f82480b320281bc6bb2e2ab93d12fdfc1d25a728f' -d 'testing' -H 'origin: example.com' -H 'access-control-request-method: PUT' -d 'testing curl'
```


Actual results:
```
HTTP code: 403
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><RequestId>tx000000ad5acbcf928f265-0066a0a716-1f39666-us-east-1</RequestId><HostId>1f39666-us-east-1-us-east-1</HostId></Error>
```


Expected results:
```
HTTP code: 200
```

Additional info:
There are two mitigations right now in place. Both are not sufficient as:

Workaround1 (drop ACL from presigned PUT):
```
presigned = s3.generate_presigned_url(
    ClientMethod="put_object",
    HttpMethod='PUT',
    Params={
        "Bucket": "bucket",
        "Key": "test",
    },
)
``` 

does not result in 403 but implies access to the source code of the applications (not always possible)

Workaround2 (drop CORS acl from Bucket):
implies unexpected access through third party requests which is the reason to have CORS set.
^^^ 

seem's to be not working out too as the CORS headers would need to be removed prior reaching the RGW endpoint
Comment 9 Manny 2024-08-28 18:01:06 UTC 
Please see KCS Article #7084669, (https://access.redhat.com/solutions/7084669) regarding this issue.

BR
Manny
Comment 15 errata-xmlrpc 2024-11-25 09:03:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216
Note You need to log in before you can comment on or make changes to this bug.