Bug 2345305 - [rgw][server-access-logging][RFE]: add support for configuring permission for a bucket to be used as a target bucket for log object delivery
Summary: [rgw][server-access-logging][RFE]: add support for configuring permission for...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 8.1
Assignee: Yuval Lifshitz
QA Contact: Hemanth Sai
Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks: 2351689
TreeView+ depends on / blocked
 
Reported: 2025-02-12 17:45 UTC by Hemanth Sai
Modified: 2025-08-07 15:37 UTC (History)
6 users (show)

Fixed In Version: ceph-19.2.1-107.el9cp
Doc Type: Bug Fix
Doc Text:
.Target buckets now needs a bucket policy for users to write logs to them Previously, no permission checks were run on the target bucket for bucket logging. As a result, any user could write logs to a target bucket, without needing specific permissions. With this fix, a bucket policy must be added on a target to allow specific users to write logs to them.
Clone Of:
Environment:
Last Closed: 2025-06-26 12:25:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-10606 0 None None None 2025-02-12 17:45:47 UTC
Red Hat Product Errata RHSA-2025:9775 0 None None None 2025-06-26 12:25:44 UTC

Description Hemanth Sai 2025-02-12 17:45:09 UTC 
Description of problem:
add support for configuring permission to allow a bucket being used as a target bucket for log delivery
Currently I can configure bucket logging on a bucket with target bucket as another user bucket also. without any access another users can use my bucket as target bucket for bucket logging. this is a security issue.


log snippet:


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 mb s3://hsm1-dest-bkt0
make_bucket: hsm1-dest-bkt0
[root@magna016 ~]#


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3api get-bucket-logging --bucket hsm-src-bkt0
{
    "LoggingEnabled": {
        "TargetBucket": "hsm1-dest-bkt0",
        "TargetPrefix": "hsm-src-bkt0-logs",
        "TargetObjectKeyFormat": {
            "SimplePrefix": {}
        },
        "ObjectRollTime": 120,
        "LoggingType": "Journal",
        "RecordsBatchSize": 0
    }
}
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj4
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj4                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj5
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj5                   
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm s3 cp obj1_4KB s3://hsm-src-bkt0/obj6
upload: ./obj1_4KB to s3://hsm-src-bkt0/obj6                   
[root@magna016 ~]# 
[root@magna016 ~]# radosgw-admin bucket logging flush --bucket hsm-src-bkt0
flushed pending logging object 'hsm-src-bkt0-logs2025-02-12-07-47-46-9PJRX3F043TMUNO8' to target bucket 'hsm1-dest-bkt0'
[root@magna016 ~]# 


[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls
2025-02-12 07:45:38 hsm1-dest-bkt0
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 ls s3://hsm1-dest-bkt0
2025-02-12 07:47:46        318 hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# aws --endpoint-url http://10.8.128.16:81 --profile hsm1 s3 cp s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
download: s3://hsm1-dest-bkt0/hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH to ./hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
[root@magna016 ~]# 
[root@magna016 ~]# 
[root@magna016 ~]# cat hsm-src-bkt0-logs2025-02-12-07-47-04-RNQVY80875AH0CKH
hsm hsm-src-bkt0 [12/Feb/2025:07:47:04 +0000] obj4 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:07 +0000] obj5 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
hsm hsm-src-bkt0 [12/Feb/2025:07:47:10 +0000] obj6 REST.PUT.put_obj 4000 6c1b4100d743a6937ad6c59244d535b3
[root@magna016 ~]# 




Version-Release number of selected component (if applicable):
ceph version 19.2.0-53.el9cp

How reproducible:
always

Steps to Reproduce:
1.create a user (user1) and create a bucket (u1_bkt1)
2.create another user (user2) and create a bucket under it (u2_bkt2)
3.put-bucket-logging on u1_bkt1 with target bucket as u2_bkt1. upload few objects into the bucket u1_bkt1, after some time we observe the log object is delivered to u2_bkt1. as we dont have any method to configure permission to allow/deny a bucket being used as target bucket by allowed/denied users, any user can use any user bucket as target bucket.

Actual results:
no permission check to deliver log object to target bucket

Expected results:
expected there should be some configuration settings for log object delivery

Additional info:
logs: https://docs.google.com/document/d/1R9Qol5tNXwNXFQJLpagUdBSyNp7U11YJR67aym_thvg/edit?tab=t.ojj9k1r0ng0n#heading=h.rk3mhpdppc93
Comment 8 errata-xmlrpc 2025-06-26 12:25:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775
Note You need to log in before you can comment on or make changes to this bug.