New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug #13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL #6057
Conversation
@yehudasa |
@rahul1aggarwal I understand. My question was about the specific lines change in rgw_op.cc. |
@rahul1aggarwal , |
…enticated read ACL Signed-off-by: root <rahul.1aggarwal@gmail.com>
@oritwas , |
Bug #13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL
@oritwas |
Fix for http://tracker.ceph.com/issues/13207
The public user id in rados gateway is "anonymous" defined by RGW_USER_ANON_ID
During a public read of a bucket (for example by generating a public url and accessing it), the method to know whether the user is public or not, the id is being compared with the public user group's uri and not with RGW_USER_ANON_ID. This led to the public user being considered as an authenticated user and hence read of a bucket is working even when the canned acl for the bucket is set to "authenticated-read".
Also, the bucket_acl object is always being created of the base type RGWAccessControlPolicy while it should be created based on the dialect of the the request (s3 or swift)