[Bug 1847544] Re: backport: S3 policy evaluated incorrectly
edward.hope-morley at canonical.com
Tue Dec 3 10:01:27 UTC 2019
** Also affects: cloud-archive/queens
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
backport: S3 policy evaluated incorrectly
Status in Ubuntu Cloud Archive:
Status in Ubuntu Cloud Archive queens series:
Status in ceph package in Ubuntu:
Status in ceph source package in Bionic:
Status in ceph source package in Disco:
Status in ceph source package in Eoan:
Status in ceph source package in Focal:
If a user tries to access a non-existent bucket, it should get a 'NoSuchBucket' error message (404)
But if there is such a bucket which is belonged to another user, radosgw will return 'AccessDenied' error (403)
This is an incorrect error message, radosgw should return 404
Create a user by radosgw-admin, then create a bucket through S3 by this user
Create another user and try to access the bucket created by the above user
The error message must be 'NoSuchBucket', not 'AccessDenied'
Low, this patch checks
1. 'is_admin_of' and 'verify_permission' separately instead of 'and' the results of them
2. if the bucket policy allow the user to access this bucket
to make sure it returns the correct error code, so basically it checks the same thing as before but in the correct order
Backport Ceph issue 38638 to Luminous.
If a user different from the owner (or even an anonymous user) does a
GetObject/HeadObject on a non existing object, Radosgw returns status
code 403, rather than the correct status 404.
A version of this was merged into Ceph master:
And backported to luminous has been accepted:
To manage notifications about this bug go to:
More information about the Ubuntu-openstack-bugs