[Bug 1847544] Re: backport: S3 policy evaluated incorrectly

Edward Hope-Morley edward.hope-morley at canonical.com
Tue Dec 3 10:01:27 UTC 2019

** Also affects: cloud-archive/queens
   Importance: Undecided
       Status: New

You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.

  backport: S3 policy evaluated incorrectly

Status in Ubuntu Cloud Archive:
  In Progress
Status in Ubuntu Cloud Archive queens series:
Status in ceph package in Ubuntu:
  In Progress
Status in ceph source package in Bionic:
  In Progress
Status in ceph source package in Disco:
  Won't Fix
Status in ceph source package in Eoan:
  Won't Fix
Status in ceph source package in Focal:
  Won't Fix

Bug description:
  If a user tries to access a non-existent bucket, it should get a 'NoSuchBucket' error message (404)
  But if there is such a bucket which is belonged to another user, radosgw will return 'AccessDenied' error (403)
  This is an incorrect error message, radosgw should return 404

  [Test Case]
  Create a user by radosgw-admin, then create a bucket through S3 by this user
  Create another user and try to access the bucket created by the above user
  The error message must be 'NoSuchBucket', not 'AccessDenied'

  [Regression Potential]
  Low, this patch checks 
  1. 'is_admin_of' and 'verify_permission' separately instead of 'and' the results of them
  2. if the bucket policy allow the user to access this bucket
  to make sure it returns the correct error code, so basically it checks the same thing as before but in the correct order

  [Other Information]
  Backport Ceph issue 38638 to Luminous.

  If a user different from the owner (or even an anonymous user) does a
  GetObject/HeadObject on a non existing object, Radosgw returns status
  code 403, rather than the correct status 404.

  A version of this was merged into Ceph master:

  And backported to luminous has been accepted:

To manage notifications about this bug go to:

More information about the Ubuntu-openstack-bugs mailing list