Problem with S3 policy (grant RW access)

Valéry Tschopp <valery.tschopp@xxxxxxxxx> · Wed, 6 Jun 2018 07:51:25 +0000

Hello,

We have a problem with a R/W policy on a bucket.

If the bucket owner grant read/write access to another user, the objects created by the grantee are not accessible by the owner (see below) !?!

Why does the owner of a bucket not access objects created by a grantee?

Is is a bug?

## Setup

- radosgw 12.2.5, with OpenStack Keystone integration
- PROJECT_A owner of bucket A
- PROJECT_B with R/W access to bucket A

With the OpenStack Keystone integration the radosgw user ID is the OpenStack project ID. Users are only member of a project.

## S3 Policy

The S3 bucket policy `projectB_read-write.json` grant R/W access to PROJECT_B:

    {
      "Version": "2012-10-17",
      "Id": "read-write",
      "Statement": [
        {
          "Sid": "projectB-read_write",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::PROJECT_B_ID:root"
            ]
          },
          "Action": [
            "s3:ListBucket",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::*"
          ]
        }
      ]
    }

## Example of the problem

Owner (PROJECT_A) creates bucket and set policy:

    $ s3cmd -c s3cfg-projectA mb s3://test
    $ s3cmd -c s3cfg-projectA setpolicy projectB_read-write.json s3://test

Grantee (PROJECT_B) uploads an object into the bucket:

    $ s3cmd -c s3cfg-projectB put example.data s3://test
    upload: 'example.data' -> 's3://test/example.data'  [part 1 of 2, 15MB] [1 of 1]
     15728640 of 15728640   100% in    1s    14.99 MB/s  done
    upload: 'example.data' -> 's3://test/example.data'   [part 2 of 2, 479kB] [1 of 1]
     491466 of 491466   100% in    0s     2.99 MB/s  done

Owner (PROJECT_B) tries to download the object uploaded by grantee (PROJECT_B):

    $ s3cmd -c s3cfg-projectA get s3://test/example.data
    download: 's3://test/example.data' -> './example.data'  [1 of 1]
    ERROR: S3 error: 403 (AccessDenied)

## Possible workaround

If we add the bucket owner (PROJECT_A) in the policy too, then he will be able to access objects created by the grantee (PROJECT_B):

    "Principal": {
      "AWS": [
        "arn:aws:iam::PROJECT_A_ID:root",
        "arn:aws:iam::PROJECT_B_ID:root"
      ]
    },

-- 
SWITCH
Valéry Tschopp, Software Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Email: valery.tschopp@xxxxxxxxx Phone: +41 44 268 1544
https://www.switch.ch/ 

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com