Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug #13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL #6057

Merged
merged 1 commit into from Nov 19, 2015

Conversation

Projects
None yet
4 participants
@rahul1aggarwal
Copy link
Contributor

commented Sep 23, 2015

Fix for http://tracker.ceph.com/issues/13207

The public user id in rados gateway is "anonymous" defined by RGW_USER_ANON_ID
During a public read of a bucket (for example by generating a public url and accessing it), the method to know whether the user is public or not, the id is being compared with the public user group's uri and not with RGW_USER_ANON_ID. This led to the public user being considered as an authenticated user and hence read of a bucket is working even when the canned acl for the bucket is set to "authenticated-read".
Also, the bucket_acl object is always being created of the base type RGWAccessControlPolicy while it should be created based on the dialect of the the request (s3 or swift)

@rahul1aggarwal

This comment has been minimized.

Copy link
Contributor Author

commented Sep 23, 2015

@yehudasa
When "authenticated-read" ACL is applied on a bucket; anonymous user is also able to read (eg. list) the bucket. But as per S3 documentation only authenticated users should be allowed to access the bucket.
This commit tries to fix this problem. A testcase is listed in the bug at http://tracker.ceph.com/issues/13207
Please let me know if this sounds like a genuine issue

@yehudasa

This comment has been minimized.

Copy link
Member

commented Sep 23, 2015

@rahul1aggarwal I understand. My question was about the specific lines change in rgw_op.cc.

@ghost ghost added the rgw label Oct 16, 2015

@yehudasa yehudasa self-assigned this Nov 3, 2015

@yehudasa yehudasa added the bug fix label Nov 6, 2015

@oritwas

This comment has been minimized.

Copy link
Contributor

commented Nov 19, 2015

@rahul1aggarwal ,
can you please remove the merge commit and sign the commits.

13207: Rados Gateway: Anonymous user is able to read bucket with auth…
…enticated read ACL

Signed-off-by: root <rahul.1aggarwal@gmail.com>
@rahul1aggarwal

This comment has been minimized.

Copy link
Contributor Author

commented Nov 19, 2015

@oritwas ,
removed the merge commit and signed the commit. thanks

oritwas added a commit that referenced this pull request Nov 19, 2015

Merge pull request #6057 from rahul1aggarwal/master
Bug #13207:  Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL

@oritwas oritwas merged commit 97bf0bc into ceph:master Nov 19, 2015

@rahul1aggarwal

This comment has been minimized.

Copy link
Contributor Author

commented Nov 20, 2015

@oritwas
thanks for merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.