Re: Generated signurl is accessible from restricted IPs in bucket policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 08, 2023 at 03:07:20PM -0000, Aggelos Toumasis wrote:
> Hi there,
> 
> We noticed after creating a signurl that the bucket resources were
> accessible from IPs that were originally restricted from accessing
> them (using a bucket policy).  Using the s3cmd utility we confirmed
> that the Policy is correctly applied and you can access it only for
> the allowed IPs.
>
> Is this an expected behavior or do we miss something?
Can you share the bucket policy?

Also, are you using some reverse proxy in front of RGW, and if so: 
are both the proxy & RGW configured for the correct headers to agree on
the actual source IP.

IIRC depending how the policy is written, you have have either of:
- presigned URL || IP-check
- presigned URL && IP-check

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@xxxxxxxxxx
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux