Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pacific: rgw/sts: fix read_obj_policy permission evaluation #44471

Merged
merged 1 commit into from Nov 28, 2023
Merged

pacific: rgw/sts: fix read_obj_policy permission evaluation #44471

merged 1 commit into from Nov 28, 2023

Conversation

pritha-srivastava
Copy link
Contributor

backport tracker: https://tracker.ceph.com/issues/53648

backport of #42009
parent tracker: https://tracker.ceph.com/issues/52302

this backport was staged using ceph-backport.sh version 16.0.0.6848
find the latest version at https://github.com/ceph/ceph/blob/master/src/script/ceph-backport.sh

@pritha-srivastava pritha-srivastava added this to the pacific milestone Jan 5, 2022
@pritha-srivastava pritha-srivastava requested review from a team as code owners May 16, 2022 18:49
@pritha-srivastava pritha-srivastava requested review from pereman2 and nizamial09 and removed request for a team May 16, 2022 18:49
@cbodley
Copy link
Contributor

cbodley commented Oct 4, 2022

@pritha-srivastava can you please rebase?

@rkachach rkachach requested review from a team and removed request for a team February 22, 2023 10:08
@github-actions
Copy link

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

@k0ste
Copy link
Contributor

k0ste commented Oct 14, 2023

@pritha-srivastava needs rebase

@pritha-srivastava @cbodley
rgw/sts: fix read_obj_policy permission evaluation
36d428b 
to pass in boost::none for the identity parameter
as identity IAM policies do not have a Principal
for evaluation.
The Principal is the role or the identity to which
the policy is attached.

Also removing boost::optional<const rgw::auth::Identity&> id
paremeter from eval_identity_or_session_policies in all
places, since an identity or a session policy doesnt have
a Principal element. The identity (user or role) or the
session is implicitly the 'Principal' to which the policy
is attached.

fixes: https://tracker.ceph.com/issues/52302

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 59c46f2)

Conflicts:
	src/rgw/rgw_op.cc conflicts with auth in DeleteMultiObj
@cbodley
Copy link
Contributor

cbodley commented Oct 17, 2023

pushed a rebase. documented conflicts in RGWDeleteMultiObj from e1534a5

@cbodley cbodley removed request for a team, pereman2 and nizamial09 October 17, 2023 15:40
@cfsnyder cfsnyder modified the milestones: pacific, v16.2.15 Nov 13, 2023
@smanjara
Copy link
Contributor

teuthology failure related to STS test in:
http://qa-proxy.ceph.com/teuthology/yuriw-2023-11-15_21:09:02-rgw-wip-yuri8-testing-2023-11-15-0816-pacific-distro-default-smithi/7459318/teuthology.log

2023-11-15T21:59:09.081 INFO:teuthology.orchestra.run.smithi111.stderr:
2023-11-15T21:59:09.081 INFO:teuthology.orchestra.run.smithi111.stderr:======================================================================

2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: nuke_prefixed_buckets(prefix=prefix, client=alt_client)
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: File "/home/ubuntu/cephtest/s3-tests/s3tests_boto3/functional/init.py", line 115, in nuke_prefixed_buckets
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: buckets = get_buckets_list(client, prefix)
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: File "/home/ubuntu/cephtest/s3-tests/s3tests_boto3/functional/init.py", line 52, in get_buckets_list
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: response = client.list_buckets()
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: File "/home/ubuntu/cephtest/s3-tests/virtualenv/lib/python3.6/site-packages/botocore/client.py", line 508, in _api_call
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: return self._make_api_call(operation_name, kwargs)
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: File "/home/ubuntu/cephtest/s3-tests/virtualenv/lib/python3.6/site-packages/botocore/client.py", line 911, in _make_api_call
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr: raise error_class(parsed_response, operation_name)
2023-11-15T21:59:09.083 INFO:teuthology.orchestra.run.smithi111.stderr:botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: None

@cbodley
Copy link
Contributor

cbodley commented Nov 27, 2023

i think this was https://tracker.ceph.com/issues/53090, which @TRYTOBE8TME fixed in ceph/s3-tests#428. that fix was on ceph-reef and ceph-quincy branches, but not ceph-pacific so i cherry-picked it there

@smanjara smanjara self-requested a review November 28, 2023 17:40
@yuriw yuriw merged commit a5896d8 into ceph:pacific Nov 28, 2023
8 checks passed
@cbodley cbodley mentioned this pull request Nov 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smanjara smanjara smanjara approved these changes

Assignees
No one assigned
Labels
needs-qa rgw wip-yuri8-testing
Projects
None yet
Milestone
v16.2.15
6 participants
@pritha-srivastava @cbodley @k0ste @smanjara @yuriw @cfsnyder