Re: RGW multi-object delete failing with 403 denied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Chris,

I don't see the problem offhand, so could you create a tracker issue?

thanks,

Matt

On Sat, Jul 11, 2020 at 2:00 PM Chris Palmer
<chris@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hi
>
> An RGW access denied problem that I can't get anywhere with...
>
>   * Bucket mybucket owned by user "c"
>   * Bucket policy grants s3:listBucket on mybucket, and s3:putObject &
>     s3:deleteObject on mybucket/* to user "j", and s3:getObject to * (I
>     even granted s3:* on mybucket/* to "j" with no effect)
>   * User "j" can create objects in mybucket, and can delete individual
>     objects (using DELETE)
>   * User "j" get 403 when trying to do a multi-object-delete (POST
>     /mybucket/?delete with a list of 4 object keys)
>
> Code is a Java servlet running in Wildfly, loading its credentials from
> the default ~/.aws/credentials file. It enables path-style access. If I
> change the credentials in there to those of the bucket owner "c" it works...
>
> What's different about permissioning for multi-object-delete?
>
> Log file shows access has been granted, but further down there is a
> suspicious "Permissions for user not found" (don't know if that is
> expected or not).
>
> Thanks, Chris
>
> -------
>
> Extract from RGW log with debugging at level 20:
>
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 req 15 0.004000002s
> s3:multi_object_delete rgw::auth::s3::LocalEngine granted access
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 req 15 0.004000002s
> s3:multi_object_delete rgw::auth::s3::AWSAuthStrategy granted access
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete normalizing buckets and tenants
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 s->object=<NULL>
> s->bucket=mybucket
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete init permissions
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 get_system_obj_state:
> rctx=0x7f45adacc288 obj=default.rgw.meta:root:mybucket
> state=0x5628b912e9a0 s->prefetch_data=0
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 cache get:
> name=default.rgw.meta+root+mybucket : hit (requested=0x16, cached=0x17)
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 get_system_obj_state:
> s->obj_tag was set empty
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 cache get:
> name=default.rgw.meta+root+mybucket : hit (requested=0x11, cached=0x17)
> 2020-07-11T17:55:54.038+0100 7f45adad7700 15 decode_policy Read
> AccessControlPolicy<AccessControlPolicy
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>c</ID><DisplayName>C</DisplayName></Owner><AccessControlList><Grant><Grantee
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="CanonicalUser"><ID>c</ID><DisplayName>C</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 get_system_obj_state:
> rctx=0x7f45adacc668 obj=default.rgw.meta:users.uid:j
> state=0x5628b912e9a0 s->prefetch_data=0
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 cache get:
> name=default.rgw.meta+users.uid+j : hit (requested=0x6, cached=0x17)
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 get_system_obj_state:
> s->obj_tag was set empty
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 Read xattr: user.rgw.idtag
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 cache get:
> name=default.rgw.meta+users.uid+j : hit (requested=0x3, cached=0x17)
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete recalculating target
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete reading permissions
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete init op
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete verifying op mask
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 req 15 0.004000002s
> s3:multi_object_delete required_mask= 4 user.op_mask=7
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete verifying op permissions
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 req 15 0.004000002s
> s3:multi_object_delete -- Getting permissions begin with perm_mask=50
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 req 15 0.004000002s
> s3:multi_object_delete Searching permissions for
> identity=rgw::auth::SysReqApplier ->
> rgw::auth::LocalApplier(acct_user=j, acct_name=J, subuser=,
> perm_mask=15, is_admin=0) mask=50
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Searching permissions for uid=j
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Permissions for user not found
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Searching permissions for
> group=1 mask=50
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Permissions for group not found
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Searching permissions for
> group=2 mask=50
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 Permissions for group not found
> 2020-07-11T17:55:54.038+0100 7f45adad7700  5 req 15 0.004000002s
> s3:multi_object_delete -- Getting permissions done for
> identity=rgw::auth::SysReqApplier ->
> rgw::auth::LocalApplier(acct_user=j, acct_name=J, subuser=,
> perm_mask=15, is_admin=0), owner=c, perm=0
> 2020-07-11T17:55:54.038+0100 7f45adad7700 10 req 15 0.004000002s
> s3:multi_object_delete  identity=rgw::auth::SysReqApplier ->
> rgw::auth::LocalApplier(acct_user=j, acct_name=J, subuser=,
> perm_mask=15, is_admin=0) requested perm (type)=2, policy perm=0,
> user_perm_mask=2, acl perm=0
> 2020-07-11T17:55:54.038+0100 7f45adad7700  1 op->ERRORHANDLER:
> err_no=-13 new_err_no=-13
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete op status=0
> 2020-07-11T17:55:54.038+0100 7f45adad7700  2 req 15 0.004000002s
> s3:multi_object_delete http status=403
> 2020-07-11T17:55:54.038+0100 7f45adad7700  1 ====== req done
> req=0x7f45adaced50 op status=0 http_status=403 latency=0.004000002s ======
> 2020-07-11T17:55:54.038+0100 7f45adad7700 20 process_request() returned -13
> 2020-07-11T17:55:54.038+0100 7f45adad7700  1 civetweb: 0x5628b9424000:
> 192.168.80.135 - - [11/Jul/2020:17:55:54 +0100] "POST /mybucket/?delete
> HTTP/1.1" 403 464 - aws-sdk-java/1.11.820 Linux/5.7.7-200.fc32.x86_64
> OpenJDK_64-Bit_Server_VM/14.0.1+7 java/14.0.1 vendor/Red_Hat,_Inc.
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx



-- 

Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux