TrueCloudLab/frostfs-s3-gw
17
3
Fork 19
Code Issues 28 Pull requests 7 Projects Releases 18 Packages Activity Actions

Bucket policy doesn't work for private buckets #306

New issue
Closed
opened 2024-02-07 09:12:38 +00:00 by dkirillov · 1 comment
dkirillov commented 2024-02-07 09:12:38 +00:00
Member
Copy link

We cannot provide access to different user (in the same namespace) using PutBucketPolicy

Expected Behavior

Different user can put object to our bucket

Current Behavior

Got error AccessDenied

In logs:

2024-02-07T12:07:43.516+0300    error   handler/util.go:46      request failed  {"status": 403, "request_id": "53e9c533-ef54-4bed-8d0a-fb930f2ed665", "method": "PutObject", "bucket": "policy-test", "object": "obj", "description": "could not get bucket settings", "error": "couldn't get node: access denied: access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"}

Possible Solution

Don't set eacl when create bucket but use APE rules to restrict access.

Steps to Reproduce (for bugs)

  1. Create bucket:
$ aws s3api --endpoint http://localhost:8084  create-bucket --bucket policy-test
  1. Put bucket policy that allow PutObject to any principal:
$ aws s3api --endpoint http://localhost:8084  put-bucket-policy --bucket policy-test --policy '{"Statement":{"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::policy-test/*"}}'
  1. Try put object using alternative credentials
$ aws s3api --endpoint http://localhost:8084 --profile alt   put-object  --bucket policy-test --key obj

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied.

Context

This bug was found using s3-iam test

Regression

No

Your Environment

We cannot provide access to different user (in the same namespace) using [PutBucketPolicy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html) ## Expected Behavior Different user can put object to our bucket ## Current Behavior Got error `AccessDenied` In logs: ``` 2024-02-07T12:07:43.516+0300 error handler/util.go:46 request failed {"status": 403, "request_id": "53e9c533-ef54-4bed-8d0a-fb930f2ed665", "method": "PutObject", "bucket": "policy-test", "object": "obj", "description": "could not get bucket settings", "error": "couldn't get node: access denied: access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"} ``` ## Possible Solution Don't set eacl when create bucket but use APE rules to restrict access. ## Steps to Reproduce (for bugs) 1. Create bucket: ```shell $ aws s3api --endpoint http://localhost:8084 create-bucket --bucket policy-test ``` 2. Put bucket policy that allow `PutObject` to any principal: ```shell $ aws s3api --endpoint http://localhost:8084 put-bucket-policy --bucket policy-test --policy '{"Statement":{"Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::policy-test/*"}}' ``` 3. Try put object using alternative credentials ```shell $ aws s3api --endpoint http://localhost:8084 --profile alt put-object --bucket policy-test --key obj An error occurred (AccessDenied) when calling the PutObject operation: Access Denied. ``` ## Context This bug was found using s3-iam [test](https://git.frostfs.info/TrueCloudLab/s3-tests/src/commit/da91ad8bbf899c72199df35b69e9393c706aabee/s3tests_boto3/functional/test_iam.py#L516) ## Regression No ## Your Environment * Version used: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/commit/c334adeb6da0bf6fa889b1bf8bb370ccc80f2b0e * Server setup and configuration: [dev-env](https://git.frostfs.info/TrueCloudLab/frostfs-dev-env)
dkirillov added the
bug
 label 2024-02-07 09:12:38 +00:00
alexvanin commented 2024-02-08 14:47:58 +00:00
Owner
Copy link

Right now our target is to replace eACL with new access policy engine (APE) rules to control access for buckets. Previously created buckets with s3-gw < v0.29.0 will remain affected by this issue. New buckets are going to be accessible if APE explicitly allows it.

Furthermore, we are looking to cooperate with AWS and restrict access for ACL operations. However, we do not intend to remove canned ACL for bucket settings. These ACLs worked fine in all previous s3-gw releases, so we intend to keep this functionality. Other less robust operations like put-object-acl are going to be restricted in favor of bucket policy control.

/cc @TrueCloudLab/architecture-committee

Right now our target is to replace eACL with new access policy engine (APE) rules to control access for buckets. Previously created buckets with s3-gw < v0.29.0 will remain affected by this issue. New buckets are going to be accessible if APE explicitly allows it. Furthermore, we are looking to [cooperate](https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/) with AWS and restrict access for ACL operations. However, we do not intend to remove canned ACL for bucket settings. These ACLs worked fine in all previous s3-gw releases, so we intend to keep this functionality. Other less robust operations like `put-object-acl` are going to be restricted in favor of bucket policy control. /cc @TrueCloudLab/architecture-committee
alexvanin added this to the v0.29.0 milestone 2024-02-08 14:48:12 +00:00
dkirillov was assigned by alexvanin 2024-02-08 14:49:46 +00:00
alexvanin referenced this issue from a commit 2024-02-29 07:05:35 +00:00
[#306] Add tests
alexvanin referenced this issue from a commit 2024-02-29 07:05:36 +00:00
[#306] Update APE
alexvanin referenced this issue from a commit 2024-02-29 07:05:36 +00:00
[#306] Fix billing tests
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
support/v0.30
support/v0.29
support/v0.28
support/v0.27
v0.31.0
v0.31.0-rc.6
v0.31.0-rc.5
v0.31.0-rc.4
v0.30.8
v0.31.0-rc.3
v0.30.7
v0.31.0-rc.2
v0.31.0-rc.1
v0.30.6
v0.30.5
v0.30.4
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.3
v0.30.0-rc.5
v0.29.2
v0.30.0-rc.4
v0.30.0-rc.3
v0.30.0-rc.2
v0.29.1
v0.30.0-rc.1
v0.29.0
v0.28.2
v0.29.0-rc.11
v0.29.0-rc.10
v0.29.0-rc.9
v0.29.0-rc.8
v0.29.0-rc.7
v0.29.0-rc.6
v0.29.0-rc.5
v0.29.0-rc.4
v0.29.0-rc.3
v0.29.0-rc.2
v0.29.0-rc.1
v0.28.1
v0.28.0
v0.28.0-rc.1
v0.27.0
v0.27.0-rc.2
v0.27.0-rc.1
Labels
Clear labels   
P0

Highest

  
P1

High

  
P2

Medium

  
P3

Low

  
good first issue

Good for newcomers

  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
P0
P1
P2
P3
good first issue
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
v0.29.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dkirillov
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#306
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?