Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rgw:BucketWebsite's op permission #44060

Open
wants to merge 1 commit into
base: nautilus
Choose a base branch
from
Open

rgw:BucketWebsite's op permission #44060

wants to merge 1 commit into from

Conversation

Gaoweinan
Copy link
Contributor

In the current code version, the op permission of bucket website is READ_ACP and WRITE_ACP, but I think it should be READ and WRITE.

Signed-off-by: gaoweinan gaoweinan@inspur.com

Checklist

  • Tracker (select at least one)
    • References tracker ticket
    • Very recent bug; references commit where it was introduced
    • New feature (ticket optional)
    • Doc update (no ticket needed)
  • Component impact
    • Affects Dashboard, opened tracker ticket
    • Affects Orchestrator, opened tracker ticket
    • No impact that needs to be tracked
  • Documentation (select at least one)
    • Updates relevant documentation
    • No doc update is appropriate
  • Tests (select at least one)
  • Teuthology
    • Completed teuthology run
    • No teuthology test necessary (e.g., documentation)
Show available Jenkins commands
  • jenkins retest this please
  • jenkins test classic perf
  • jenkins test crimson perf
  • jenkins test signed
  • jenkins test make check
  • jenkins test make check arm64
  • jenkins test submodules
  • jenkins test dashboard
  • jenkins test dashboard cephadm
  • jenkins test api
  • jenkins test docs
  • jenkins render docs
  • jenkins test ceph-volume all
  • jenkins test ceph-volume tox

@Gaoweinan
rgw:BucketWebsite's op permission
c3997bc 
In the current code version, the op permission of bucket website is READ_ACP and WRITE_ACP, but I think it should be READ and WRITE.

Signed-off-by: gaoweinan <gaoweinan@inspur.com>
@github-actions github-actions bot added this to the nautilus milestone Nov 23, 2021
@cbodley
Copy link
Contributor

cbodley commented Nov 23, 2021

In the current code version, the op permission of bucket website is READ_ACP and WRITE_ACP, but I think it should be READ and WRITE.

thanks @Gaoweinan, that's an interesting observation. i've had trouble finding AWS documentation that clearly says one way or the other. both [1] and [2] do state that READ_ACP/WRITE_ACP are specific to ACLs, but the READ/WRITE sections don't say anything about the other policy operations like PutBucketCORS/Logging/Notification/Policy/Versioning/Website/Lifecycle/etc

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#permissions
[2] https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#acl-access-policy-permission-mapping

our interpretation has been that the ACP acls cover all of the related policy, not just the access control policy. for example, if we did allow a user with a WRITE acl grant on a bucket to issue PutBucketPolicy, they could grant themselves any access that WRITE_ACL and PutBucketAcl would

it could be interesting to confirm whether or not this behavior matches AWS, but it's going to be hard for Ceph to change how it enforces these ACLs without breaking existing users

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
pending-discussion
Projects
None yet
Milestone
nautilus
2 participants
@Gaoweinan @cbodley