Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2305185

Summary: [rgw][acl] put-bucket-acl with acl set as public-read-write is allowing only public-write but public-read of objects is denied
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, rpollack, tserlin
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:51:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hemanth Sai 2024-08-15 18:00:03 UTC 
Description of problem:
put-bucket-acl with acl set as public-read-write is allowing only public-write but public-read of objects is denied


Version-Release number of selected component (if applicable):
ceph version 18.2.1-228.el9cp and ceph version 18.2.1-229.0.hotfix.bz2299642.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a bucket
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3 mb s3://bkt8
make_bucket: bkt8
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 


2.put-bucket-acl to the bucket
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api put-bucket-acl --bucket bkt8  --acl public-read-write
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api get-bucket-acl --bucket bkt8
{
    "Owner": {
        "DisplayName": "hsm",
        "ID": "hsm"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "DisplayName": "hsm",
                "ID": "hsm",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 

3.upload an object
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3 cp obj10MB s3://bkt8/obj1
upload: ./obj10MB to s3://bkt8/obj1                              
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 


4.without auth creds, put object is successful but get object request fails
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ curl -X GET 'http://10.0.67.162:80/bkt8/obj1' -o bkt8-obj1.download -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.0.67.162:80...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.0.67.162 (10.0.67.162) port 80 (#0)
> GET /bkt8/obj1 HTTP/1.1
> Host: 10.0.67.162
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Length: 233
< x-amz-request-id: tx0000049cb2a70cb73284e-0066be3ed2-b141-default
< Accept-Ranges: bytes
< Content-Type: application/xml
< Date: Thu, 15 Aug 2024 17:45:54 GMT
< Connection: Keep-Alive
< 
{ [233 bytes data]
100   233  100   233    0     0   113k      0 --:--:-- --:--:-- --:--:--  113k
* Connection #0 to host 10.0.67.162 left intact
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ curl -X PUT 'http://10.0.67.162:80/bkt8/obj2' -T obj20MB -v
*   Trying 10.0.67.162:80...
* Connected to 10.0.67.162 (10.0.67.162) port 80 (#0)
> PUT /bkt8/obj2 HTTP/1.1
> Host: 10.0.67.162
> User-Agent: curl/7.76.1
> Accept: */*
> Content-Length: 20000000
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 CONTINUE
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 0
< ETag: "10e4462c9d0b08e7f0b304c4fbfeafa3"
< Accept-Ranges: bytes
< x-amz-request-id: tx000006873070c8ddd227e-0066be3eee-b141-default
< Date: Thu, 15 Aug 2024 17:46:23 GMT
< Connection: Keep-Alive
< 
* Connection #0 to host 10.0.67.162 left intact
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ curl -X GET 'http://10.0.67.162:80/bkt8/obj2' -o bkt8-obj2.download -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.0.67.162:80...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.0.67.162 (10.0.67.162) port 80 (#0)
> GET /bkt8/obj2 HTTP/1.1
> Host: 10.0.67.162
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Length: 233
< x-amz-request-id: tx00000f3e8563c654daf4f-0066be3f03-b141-default
< Accept-Ranges: bytes
< Content-Type: application/xml
< Date: Thu, 15 Aug 2024 17:46:43 GMT
< Connection: Keep-Alive
< 
  0   233    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{ [233 bytes data]
100   233  100   233    0     0  11650      0 --:--:-- --:--:-- --:--:-- 11095
* Connection #0 to host 10.0.67.162 left intact
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3 ls s3://bkt8
2024-08-15 13:45:15   10000000 obj1
2024-08-15 13:46:23   20000000 obj2
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 

5.even if we set put-bucket-acl as public-read, public read of object is denied

[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api put-bucket-acl --bucket bkt8  --acl public-read
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api get-bucket-acl --bucket bkt8
{
    "Owner": {
        "DisplayName": "hsm",
        "ID": "hsm"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "DisplayName": "hsm",
                "ID": "hsm",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3 ls s3://bkt8
2024-08-15 13:45:15   10000000 obj1
2024-08-15 13:46:23   20000000 obj2
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ curl -X GET 'http://10.0.67.162:80/bkt8/obj2' -o bkt8-obj2.download -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.0.67.162:80...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.0.67.162 (10.0.67.162) port 80 (#0)
> GET /bkt8/obj2 HTTP/1.1
> Host: 10.0.67.162
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Length: 233
< x-amz-request-id: tx00000716962a8b5f47ac7-0066be4103-b141-default
< Accept-Ranges: bytes
< Content-Type: application/xml
< Date: Thu, 15 Aug 2024 17:55:15 GMT
< Connection: Keep-Alive
< 
{ [233 bytes data]
100   233  100   233    0     0  33285      0 --:--:-- --:--:-- --:--:-- 33285
* Connection #0 to host 10.0.67.162 left intact
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 


6.if we set put-object-acl of that object as public-read then public-read of object is allowed
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api put-object-acl --bucket bkt8 --key obj2 --acl public-read
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ aws --endpoint-url http://10.0.67.162:80 s3api get-object-acl --bucket bkt8 --key obj2
{
    "Owner": {
        "DisplayName": "hsm",
        "ID": "hsm"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "DisplayName": "hsm",
                "ID": "hsm",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ curl -X GET 'http://10.0.67.162:80/bkt8/obj2' -o bkt8-obj2.download -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.0.67.162:80...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.0.67.162 (10.0.67.162) port 80 (#0)
> GET /bkt8/obj2 HTTP/1.1
> Host: 10.0.67.162
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 20000000
< Accept-Ranges: bytes
< Last-Modified: Thu, 15 Aug 2024 17:46:23 GMT
< x-rgw-object-type: Normal
< ETag: "10e4462c9d0b08e7f0b304c4fbfeafa3"
< x-amz-request-id: tx000009658ed27f7126b52-0066be41d2-b141-default
< Content-Type: binary/octet-stream
< Date: Thu, 15 Aug 2024 17:58:42 GMT
< Connection: Keep-Alive
< 
{ [23844 bytes data]
100 19.0M  100 19.0M    0     0   359M      0 --:--:-- --:--:-- --:--:--  359M
* Connection #0 to host 10.0.67.162 left intact
[cephuser@ceph-hsm-hotfix-5qt7bt-node6 ~]$ 

Actual results:
put-bucket-acl with acl set as public-read-write is allowing only public-write but public-read of objects is denied

Expected results:
put-bucket-acl with acl set as public-read-write is expected to allow both public-write and public-read of objects

Additional info:
test logs on ceph version 18.2.1-229.0.hotfix.bz2299642.el9cp:
https://docs.google.com/document/d/14TyLAuk1MKgF7pKGVuYt7ZMwKK8rTuhevOHyaPDZgYg/edit?usp=sharing

rgw logs on ceph version 18.2.1-229.0.hotfix.bz2299642.el9cp:
http://magna002.ceph.redhat.com/cephci-jenkins/hsm/hotfix-inditex-presigned-url/rgw_debug_20_logs/


test logs on ceph version 18.2.1-228.el9cp:
https://docs.google.com/document/d/1-IhAu6JhjuIj9kVOEeCaWjvNQqMSb6lrcc-oYHIBx2c/edit?usp=sharing
Comment 7 errata-xmlrpc 2026-01-29 06:51:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536