Re: owner locked out of bucket via bucket policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Wesley,
Thank you for the response. I tried the same but ended up with 403.

Regards,
Jayanth

On Wed, Nov 8, 2023 at 7:34 PM Wesley Dillingham <wes@xxxxxxxxxxxxxxxxx>
wrote:

> Jaynath:
>
> Just to be clear with the "--admin" user's key's you have attempted to
> delete the bucket policy using the following method:
> https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-bucket-policy.html
>
> This is what worked for me (on a 16.2.14 cluster). I didn't attempt to
> interact with the affected bucket in any way other than "aws s3api
> delete-bucket-policy"
>
> Respectfully,
>
> *Wes Dillingham*
> wes@xxxxxxxxxxxxxxxxx
> LinkedIn <http://www.linkedin.com/in/wesleydillingham>
>
>
> On Wed, Nov 8, 2023 at 8:30 AM Jayanth Reddy <jayanthreddy5666@xxxxxxxxx>
> wrote:
>
>> Hello Casey,
>>
>> We're totally stuck at this point and none of the options seem to work.
>> Please let us know if there is something in metadata or index to remove
>> those applied bucket policies. We downgraded to v17.2.6 and encountering
>> the same.
>>
>> Regards,
>> Jayanth
>>
>> On Wed, Nov 8, 2023 at 7:14 AM Jayanth Reddy <jayanthreddy5666@xxxxxxxxx>
>> wrote:
>>
>>> Hello Casey,
>>>
>>> And on further inspection, we identified that there were bucket policies
>>> set from the initial days; we were in v16.2.12.
>>> We upgraded the cluster to v17.2.7 two days ago and it seems obvious
>>> that the IAM error logs are generated the next minute rgw daemon upgraded
>>> from v16.2.12 to v17.2.7. Looks like there is some issue with parsing.
>>>
>>> I'm thinking to downgrade back to v17.2.6 and earlier, please let me
>>> know if this is a good option for now.
>>>
>>> Thanks,
>>> Jayanth
>>> ------------------------------
>>> *From:* Jayanth Reddy <jayanthreddy5666@xxxxxxxxx>
>>> *Sent:* Tuesday, November 7, 2023 11:59:38 PM
>>> *To:* Casey Bodley <cbodley@xxxxxxxxxx>
>>> *Cc:* Wesley Dillingham <wes@xxxxxxxxxxxxxxxxx>; ceph-users <
>>> ceph-users@xxxxxxx>; Adam Emerson <aemerson@xxxxxxxxxx>
>>> *Subject:* Re:  Re: owner locked out of bucket via bucket
>>> policy
>>>
>>> Hello Casey,
>>>
>>> Thank you for the quick response. I see
>>> `rgw_policy_reject_invalid_principals` is not present in v17.2.7. Please
>>> let me know.
>>>
>>> Regards
>>> Jayanth
>>>
>>> On Tue, Nov 7, 2023 at 11:50 PM Casey Bodley <cbodley@xxxxxxxxxx> wrote:
>>>
>>> On Tue, Nov 7, 2023 at 12:41 PM Jayanth Reddy
>>> <jayanthreddy5666@xxxxxxxxx> wrote:
>>> >
>>> > Hello Wesley and Casey,
>>> >
>>> > We've ended up with the same issue and here it appears that even the
>>> user with "--admin" isn't able to do anything. We're now unable to figure
>>> out if it is due to bucket policies, ACLs or IAM of some sort. I'm seeing
>>> these IAM errors in the logs
>>> >
>>> > ```
>>> >
>>> > Nov  7 00:02:00 ceph-05 radosgw[4054570]: req 8786689665323103851
>>> 0.003999968s s3:get_obj Error reading IAM Policy: Terminate parsing due to
>>> Handler error.
>>> >
>>> > Nov  7 22:51:40 ceph-05 radosgw[4054570]: req 13293029267332025583
>>> 0.000000000s s3:list_bucket Error reading IAM Policy: Terminate parsing due
>>> to Handler error.
>>>
>>> it's failing to parse the bucket policy document, but the error
>>> message doesn't say what's wrong with it
>>>
>>> disabling rgw_policy_reject_invalid_principals might help if it's
>>> failing on the Principal
>>>
>>> > Nov  7 22:51:40 ceph-05 radosgw[4054570]: req 13293029267332025583
>>> 0.000000000s s3:list_bucket init_permissions on
>>> :window-dev[1d0fa0b4-04eb-48f9-889b-a60de865ccd8.24143.10]) failed, ret=-13
>>> > Nov  7 22:51:40 ceph-feed-05 radosgw[4054570]: req
>>> 13293029267332025583 0.000000000s op->ERRORHANDLER: err_no=-13
>>> new_err_no=-13
>>> >
>>> > ```
>>> >
>>> > Please help what's wrong here. We're in Ceph v17.2.7.
>>> >
>>> > Regards,
>>> > Jayanth
>>> >
>>> > On Thu, Oct 26, 2023 at 7:14 PM Wesley Dillingham <
>>> wes@xxxxxxxxxxxxxxxxx> wrote:
>>> >>
>>> >> Thank you, this has worked to remove the policy.
>>> >>
>>> >> Respectfully,
>>> >>
>>> >> *Wes Dillingham*
>>> >> wes@xxxxxxxxxxxxxxxxx
>>> >> LinkedIn <http://www.linkedin.com/in/wesleydillingham>
>>> >>
>>> >>
>>> >> On Wed, Oct 25, 2023 at 5:10 PM Casey Bodley <cbodley@xxxxxxxxxx>
>>> wrote:
>>> >>
>>> >> > On Wed, Oct 25, 2023 at 4:59 PM Wesley Dillingham <
>>> wes@xxxxxxxxxxxxxxxxx>
>>> >> > wrote:
>>> >> > >
>>> >> > > Thank you, I am not sure (inherited cluster). I presume such an
>>> admin
>>> >> > user created after-the-fact would work?
>>> >> >
>>> >> > yes
>>> >> >
>>> >> > > Is there a good way to discover an admin user other than iterate
>>> over
>>> >> > all users and retrieve user information? (I presume radosgw-admin
>>> user info
>>> >> > --uid=<user>" would illustrate such administrative access?
>>> >> >
>>> >> > not sure there's an easy way to search existing users, but you could
>>> >> > create a temporary admin user for this repair
>>> >> >
>>> >> > >
>>> >> > > Respectfully,
>>> >> > >
>>> >> > > Wes Dillingham
>>> >> > > wes@xxxxxxxxxxxxxxxxx
>>> >> > > LinkedIn
>>> >> > >
>>> >> > >
>>> >> > > On Wed, Oct 25, 2023 at 4:41 PM Casey Bodley <cbodley@xxxxxxxxxx>
>>> wrote:
>>> >> > >>
>>> >> > >> if you have an administrative user (created with --admin), you
>>> should
>>> >> > >> be able to use its credentials with awscli to delete or
>>> overwrite this
>>> >> > >> bucket policy
>>> >> > >>
>>> >> > >> On Wed, Oct 25, 2023 at 4:11 PM Wesley Dillingham <
>>> >> > wes@xxxxxxxxxxxxxxxxx> wrote:
>>> >> > >> >
>>> >> > >> > I have a bucket which got injected with bucket policy which
>>> locks the
>>> >> > >> > bucket even to the bucket owner. The bucket now cannot be
>>> accessed
>>> >> > (even
>>> >> > >> > get its info or delete bucket policy does not work) I have
>>> looked in
>>> >> > the
>>> >> > >> > radosgw-admin command for a way to delete a bucket policy but
>>> do not
>>> >> > see
>>> >> > >> > anything. I presume I will need to somehow remove the bucket
>>> policy
>>> >> > from
>>> >> > >> > however it is stored in the bucket metadata / omap etc. If
>>> anyone can
>>> >> > point
>>> >> > >> > me in the right direction on that I would appreciate it. Thanks
>>> >> > >> >
>>> >> > >> > Respectfully,
>>> >> > >> >
>>> >> > >> > *Wes Dillingham*
>>> >> > >> > wes@xxxxxxxxxxxxxxxxx
>>> >> > >> > LinkedIn <http://www.linkedin.com/in/wesleydillingham>
>>> >> > >> > _______________________________________________
>>> >> > >> > ceph-users mailing list -- ceph-users@xxxxxxx
>>> >> > >> > To unsubscribe send an email to ceph-users-leave@xxxxxxx
>>> >> > >> >
>>> >> > >>
>>> >> >
>>> >> >
>>> >> _______________________________________________
>>> >> ceph-users mailing list -- ceph-users@xxxxxxx
>>> >> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>>>
>>>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux