Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug #13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL #6057

Merged
merged 1 commit into from Nov 19, 2015
Merged

Bug #13207: Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL #6057

merged 1 commit into from Nov 19, 2015

Conversation

rahul1aggarwal
Copy link
Contributor

Fix for http://tracker.ceph.com/issues/13207

The public user id in rados gateway is "anonymous" defined by RGW_USER_ANON_ID
During a public read of a bucket (for example by generating a public url and accessing it), the method to know whether the user is public or not, the id is being compared with the public user group's uri and not with RGW_USER_ANON_ID. This led to the public user being considered as an authenticated user and hence read of a bucket is working even when the canned acl for the bucket is set to "authenticated-read".
Also, the bucket_acl object is always being created of the base type RGWAccessControlPolicy while it should be created based on the dialect of the the request (s3 or swift)

@rahul1aggarwal
Copy link
Contributor Author

@yehudasa
When "authenticated-read" ACL is applied on a bucket; anonymous user is also able to read (eg. list) the bucket. But as per S3 documentation only authenticated users should be allowed to access the bucket.
This commit tries to fix this problem. A testcase is listed in the bug at http://tracker.ceph.com/issues/13207
Please let me know if this sounds like a genuine issue

@yehudasa
Copy link
Member

@rahul1aggarwal I understand. My question was about the specific lines change in rgw_op.cc.

@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/7986/

@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/7987/

@ghost ghost added the rgw label Oct 16, 2015
@yehudasa yehudasa self-assigned this Nov 3, 2015
@oritwas
Copy link
Member

oritwas commented Nov 19, 2015

@rahul1aggarwal ,
can you please remove the merge commit and sign the commits.

@rahul1aggarwal
13207: Rados Gateway: Anonymous user is able to read bucket with auth…
99ba661 
…enticated read ACL

Signed-off-by: root <rahul.1aggarwal@gmail.com>
@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/9426/

@rahul1aggarwal
Copy link
Contributor Author

@oritwas ,
removed the merge commit and signed the commit. thanks

@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/9427/

@loic-bot
Copy link

SUCCESS: http://jenkins.ceph.dachary.org/job/ceph/9428/

oritwas added a commit that referenced this pull request Nov 19, 2015
@oritwas
Merge pull request #6057 from rahul1aggarwal/master
97bf0bc 
Bug #13207:  Rados Gateway: Anonymous user is able to read bucket with authenticated read ACL
@oritwas oritwas merged commit 97bf0bc into ceph:master Nov 19, 2015
@rahul1aggarwal
Copy link
Contributor Author

@oritwas
thanks for merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@yehudasa yehudasa

Labels
bug-fix rgw
Projects
None yet
Milestone
No milestone
4 participants
@rahul1aggarwal @yehudasa @loic-bot @oritwas