Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2313820

Summary: [rgw] BucketPolicy with s3:GetObjectAttributes permission alone is allowing other users to perform the operation without depending on s3:GetObject permission
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Yuva Teja Sree Gayam <ygayam>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, rpollack
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-18 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2415380 (view as bug list) Environment:
Last Closed: 2026-01-29 06:52:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2415380    

Description Hemanth Sai 2024-09-20 17:56:36 UTC 
Description of problem:
BucketPolicy with s3:GetObjectAttributes permission alone is allowing other users to perform the operation without depending on s3:GetObject permission

but according to the below aws document:
https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object-attributes.html

"If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions."



log snippet:

[cephuser@ceph-hsm-upgrade-4a6d8m-node6 ~]$ aws --endpoint-url http://10.0.64.24:80 s3api get-bucket-policy --bucket bkt1
{
    "Policy": "{\n   \"Statement\": [\n      {\n         \"Effect\": \"Allow\",\n         \"Principal\": \"*\",\n         \"Action\": [\"s3:GetObjectAttributes\"],\n         \"Resource\": \"arn:aws:s3:::*\"\n      }\n   ]\n}\n"
}
[cephuser@ceph-hsm-upgrade-4a6d8m-node6 ~]$ 
[cephuser@ceph-hsm-upgrade-4a6d8m-node6 ~]$ aws --endpoint-url http://10.0.64.24:80 --profile hsm2 s3api get-object-attributes --bucket bkt1 --key obj20MB --object-attributes "StorageClass" "ETag" "ObjectSize" "Checksum"
{
    "LastModified": "Fri, 13 Sep 2024 18:31:55 GMT",
    "ETag": "fee4441cc5d2334340a5aed7a5821535-3",
    "Checksum": {},
    "StorageClass": "STANDARD",
    "ObjectSize": 20000000
}
[cephuser@ceph-hsm-upgrade-4a6d8m-node6 ~]$ 




Version-Release number of selected component (if applicable):
ceph version 19.1.1-42.el9cp

How reproducible:
always

Steps to Reproduce:
1.deploy cluster on 8.0 with rgw daemon
2.create a bucket
3.PutBucketPolicy with s3:GetObjectAttributes in the action list
4.perform get-object-attributes from another user client, the request is successful. expected it fails as s3:GetObject is not present in the actions list.

Actual results:
s3:GetObjectAttributes permission alone is allowing other users to perform the operation without depending on s3:GetObject permission

Expected results:
expected s3:GetObject and s3:GetObjectAttributes permissions are required to perform the operation

Additional info:
Comment 7 errata-xmlrpc 2026-01-29 06:52:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536