Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2344639

Summary: [rgw] public-access-block with BlockPublicAcls set on a Bucket is denying normal object upload without any public-acl in the request
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Chaithra <ckulal>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, ckulal, mkasturi, rpollack
Target Milestone: ---Keywords: Automation
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-18 Doc Type: Bug Fix
Doc Text:
.Predefined ACLs are now correctly matched Previously, reversed logic in the comparison functor for predefined ACL matching caused all predefined ACLs to be rejected. With this fix, calls to `compare()` have been replaced with `operator==` and predefined ACLs now match correctly.
 Story Points: ---
Clone Of:
: 2413969 (view as bug list) Environment:
Last Closed: 2026-01-29 06:53:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233, 2413969    

Description Hemanth Sai 2025-02-10 12:31:31 UTC 
Description of problem:
public-access-block with BlockPublicAcls set on a Bucket is denying normal object upload without any public-acl in the request. 
but according to below aws document, it should block put_object only if the request includes a public ACL
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

BlockPublicAcls	
Setting this option to TRUE causes the following behavior:

PUT Bucket acl and PUT Object acl calls fail if the specified access control list (ACL) is public.

PUT Object calls fail if the request includes a public ACL.

If this setting is applied to an account, then PUT Bucket calls fail if the request includes a public ACL.



log snippet:
able to upload objects before put-public-access-block and after delete-public-access-block. but when public-access-block is set "BlockPublicAcls=true", the normal object upload without any public-acl in the request is failing. but able to list the existing objects and download them. I have not set any other bucket acl or any bucket policy on the bucket.

[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3 ls s3://bkt1
2025-02-07 12:22:47   10000000 obj10MB
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3api put-public-access-block --bucket bkt1 --public-access-block-configuration "BlockPublicAcls=true"
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3api get-public-access-block --bucket bkt1
{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": false,
        "BlockPublicPolicy": false,
        "RestrictPublicBuckets": false
    }
}
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3 cp obj10MB s3://bkt1/obj1
upload failed: ./obj10MB to s3://bkt1/obj1 argument of type 'NoneType' is not iterable
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3api delete-public-access-block --bucket bkt1
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3api get-public-access-block --bucket bkt1

An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the GetPublicAccessBlock operation: The public access block configuration was not found
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3 cp obj10MB s3://bkt1/obj2
upload: ./obj10MB to s3://bkt1/obj2                             
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3 ls s3://bkt1
2025-02-07 12:22:47   10000000 obj10MB
2025-02-07 12:30:34   10000000 obj2
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 



found this error in rgw log:

2025-02-07T12:25:52.721+0000 7f37b0f34640 10 req 5256482051129602281 0.000000000s s3:abort_multipart evaluate_iam_policies: implicit deny from identity-based policy


Version-Release number of selected component (if applicable):
ceph version 19.2.0-73.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a bucket
2.put-public-access-block with "BlockPublicAcls=true" on the bucket
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3api put-public-access-block --bucket bkt1 --public-access-block-configuration "BlockPublicAcls=true"
3.try to upload an object without any public acl set in the request. it fails with AccessDenied
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ aws --endpoint-url http://10.0.67.62:80 --profile hsm s3 cp obj10MB s3://bkt1/obj1
upload failed: ./obj10MB to s3://bkt1/obj1 argument of type 'NoneType' is not iterable
[cephuser@ceph-hsm-dashboard-ijb2m6-node6 ~]$ 

Actual results:
put-object without any public-acl in the request is failing with AccessDenied

Expected results:
Expected put-object without any public-acl in the request is successful

Additional info:
rgw logs at debug level 20 is present here: http://magna002.ceph.redhat.com/cephci-jenkins/hsm/PR_public_access_block/ceph-client.rgw.rgw.all.ceph-hsm-dashboard-ijb2m6-node5.cikgdf.log

log output is captured in this doc: https://docs.google.com/document/d/1N5FOXCaPhTRd5VIDWtQv9P69afcjo2XiDcAWADVqDOc/edit?usp=sharing
Comment 6 errata-xmlrpc 2026-01-29 06:53:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536