rgw: ListRoles returns "Access Denied" for a regular user with valid allow policy

[thmour]

The ListRoles method doesn't initialise the arn resource, so a user that is allowed to call this method only via policies gets "Access Denied"

tracker ticket: https://tracker.ceph.com/issues/74399

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins test classic perf Jenkins Job | Jenkins Job Definition
• jenkins test crimson perf Jenkins Job | Jenkins Job Definition
• jenkins test signed Jenkins Job | Jenkins Job Definition
• jenkins test make check Jenkins Job | Jenkins Job Definition
• jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
• jenkins test submodules Jenkins Job | Jenkins Job Definition
• jenkins test dashboard Jenkins Job | Jenkins Job Definition
• jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
• jenkins test api Jenkins Job | Jenkins Job Definition
• jenkins test docs ReadTheDocs | Github Workflow Definition
• jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
• jenkins test windows Jenkins Job | Jenkins Job Definition
• jenkins test rook e2e Jenkins Job | Jenkins Job Definition

You must only issue one Jenkins command per-comment. Jenkins does not understand
comments with more than one command.

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[ceph-jenkins]

Can one of the admins verify this patch?

[cbodley]

thanks, looks correct

[cbodley]

i wrote a test case for this in ceph/s3-tests#722. as expected, it fails against main but passes with the changes in this pull request 👍

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[thmour]

@cbodley any progress on this? I was waiting for the test case ceph/s3-tests#722 to be merged so we can merge this as well?

[cbodley]

@thmour sorry for the delay, i'll start qa against the test cases

[cbodley]

ok to test

[cbodley]

jenkins test windows

[ceph-jenkins]

Thank you for your contribution. Since you, the author, are not a member of the Ceph GitHub Org yet, our CI will not automatically run. Any member of the Ceph Org may comment "ok to test" to allow the Jenkins jobs to run.

[cbodley]

qa passed in https://pulpito.ceph.com/cbodley-2026-03-19_03:33:47-rgw-wip-cbodley-testing-distro-default-trial/ with a few known issues, mostly valgrind errors. new test case is passing:

:s3tests/functional/test_iam.py::test_account_role_list_permission PASSED [ 7%]

[cbodley]

https://jenkins.ceph.com/job/ceph-pull-requests-arm64/89319/

The following tests FAILED:
264 - unittest_posix_bucket_cache (Timeout)

tracked in https://tracker.ceph.com/issues/75601

[cbodley]

jenkins test make check arm64

[BoleynSu]

Thanks for fixing! Will this be backported to 19?

[cbodley]

Thanks for fixing! Will this be backported to 19?

yes, squid backport is prepared in #68027 for https://tracker.ceph.com/issues/75623