[Bug 1847544] Re: backport: S3 policy evaluated incorrectly

James Page james.page at ubuntu.com
Mon Jan 27 14:47:50 UTC 2020 

** Changed in: ceph (Ubuntu)
       Status: In Progress => Won't Fix

** Changed in: ceph (Ubuntu Focal)
       Status: Won't Fix => Invalid

** Changed in: ceph (Ubuntu Eoan)
       Status: Won't Fix => Invalid

** Changed in: ceph (Ubuntu Disco)
       Status: Won't Fix => Invalid

** Changed in: ceph (Ubuntu)
       Status: Won't Fix => Invalid

** Changed in: cloud-archive/queens
       Status: New => Triaged

** Changed in: cloud-archive
       Status: In Progress => Invalid

** Changed in: cloud-archive/queens
   Importance: Undecided => Medium

** Changed in: ceph (Ubuntu Bionic)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1847544

Title:
  backport: S3 policy evaluated incorrectly

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in ceph package in Ubuntu:
  Invalid
Status in ceph source package in Bionic:
  In Progress
Status in ceph source package in Disco:
  Invalid
Status in ceph source package in Eoan:
  Invalid
Status in ceph source package in Focal:
  Invalid

Bug description:
  [Impact]
  If a user tries to access a non-existent bucket, it should get a 'NoSuchBucket' error message (404)
  But if there is such a bucket which is belonged to another user, radosgw will return 'AccessDenied' error (403)
  This is an incorrect error message, radosgw should return 404

  [Test Case]
  Create a user by radosgw-admin, then create a bucket through S3 by this user
  Create another user and try to access the bucket created by the above user
  The error message must be 'NoSuchBucket', not 'AccessDenied'

  [Regression Potential]
  Low, this patch checks 
  1. 'is_admin_of' and 'verify_permission' separately instead of 'and' the results of them
  2. if the bucket policy allow the user to access this bucket
  to make sure it returns the correct error code, so basically it checks the same thing as before but in the correct order

  [Other Information]
  Backport Ceph issue 38638 to Luminous.

  If a user different from the owner (or even an anonymous user) does a
  GetObject/HeadObject on a non existing object, Radosgw returns status
  code 403, rather than the correct status 404.

  A version of this was merged into Ceph master:
  https://tracker.ceph.com/issues/38638
  https://github.com/ceph/ceph/commit/5eb50b7d10da51db72f705807c87775562b79b63

  And backported to luminous has been accepted:
  https://tracker.ceph.com/issues/39272
  https://github.com/ceph/ceph/commit/a752b21f549cc83745e35324387b85b3d039dfd2

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1847544/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list