Changing canned ACL from public-read-write to public-read doesn't work #316

New issue

Closed

opened 2024-02-19 08:23:43 +00:00 by dkirillov · 3 comments

dkirillov commented 2024-02-19 08:23:43 +00:00

Member

Copy link

Changing canned ACL from public-read-write to public-read doesn't work

Expected Behavior

Setting bucket acl to public-read after public-read-write forbid non bucket owner to put objects.

Current Behavior

Non owner still can put object to the bucket.

Possible Solution

Revise mergeAst function.
The problem: to find if diff between current and wanted "AST" exists we go through all new ast operation and finds them in current. If current fully contains wanted we don't do anything. But in case of changing acl from public-read-write to public-read this isn't correct because we must consider missing operations in wanted "ast" as deny.

Steps to Reproduce (for bugs)

1. Create public-read-write bucket:

$ aws s3api --endpoint http://localhost:8084 create-bucket --bucket test-acl --acl public-read-write

2. Make sure bucket is public read write:

$ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt 
{
    "ETag": "\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\""
}

3. Change acl to public-read:

$ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl public-read

4. Try to put object using non owner creds again. Error is expected:

$ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt 
{
    "ETag": "\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\""
}

Workaround

Set private acl first:

$ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl private

$ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl public-read

$ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt 

An error occurred (AccessDenied) when calling the PutObject operation (reached max retries: 0): Access Denied.

Regression

I'm not sure

Your Environment

• Version used: cc34f659d1
• Server setup and configuration: devenv

Changing canned ACL from `public-read-write` to `public-read` doesn't work ## Expected Behavior Setting bucket acl to `public-read` after `public-read-write` forbid non bucket owner to put objects. ## Current Behavior Non owner still can put object to the bucket. ## Possible Solution Revise [mergeAst](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/src/commit/bd8d2d00ba466fe76755d6da6b3c26d892643ba9/api/handler/acl.go#L829) function. The problem: to find if diff between current and wanted "AST" exists we go through all new ast operation and finds them in current. If current fully contains wanted we don't do anything. But in case of changing acl from `public-read-write` to `public-read` this isn't correct because we must consider missing operations in wanted "ast" as deny. ## Steps to Reproduce (for bugs) 1. Create `public-read-write` bucket: ``` $ aws s3api --endpoint http://localhost:8084 create-bucket --bucket test-acl --acl public-read-write ``` 2. Make sure bucket is public read write: ``` $ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt { "ETag": "\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"" } ``` 3. Change acl to public-read: ``` $ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl public-read ``` 4. Try to put object using non owner creds again. Error is expected: ``` $ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt { "ETag": "\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"" } ``` ### Workaround Set `private` acl first: ``` $ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl private $ aws s3api --endpoint http://localhost:8084 put-bucket-acl --bucket test-acl --acl public-read $ aws s3api --endpoint http://localhost:8084 put-object --bucket test-acl --key tmp --profile alt An error occurred (AccessDenied) when calling the PutObject operation (reached max retries: 0): Access Denied. ``` ## Regression I'm not sure ## Your Environment <!--- Include as many relevant details about the environment you experienced the bug in --> * Version used: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/commit/cc34f659d17c314cc3273023e874b6c73d1744fe * Server setup and configuration: devenv

dkirillov added the

bug

label 2024-02-19 08:23:43 +00:00

alexvanin commented 2024-02-19 10:58:09 +00:00

Owner

Copy link

As far as I understand, #306 is going to fix it for all new buckets, right?

As far as I understand, https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/issues/306 is going to fix it for all new buckets, right?

dkirillov commented 2024-02-19 11:10:08 +00:00

Author

Member

Copy link

As far as I understand, #306 is going to fix it for all new buckets, right?

yes

> As far as I understand, https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/issues/306 is going to fix it for all new buckets, right? yes

alexvanin commented 2024-06-04 09:09:56 +00:00

Owner

Copy link

Closed due to #306.

Closed due to #306.

alexvanin closed this issue 2024-06-04 09:09:57 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

support/v0.30

support/v0.29

support/v0.28

support/v0.27

v0.31.0

v0.31.0-rc.6

v0.31.0-rc.5

v0.31.0-rc.4

v0.30.8

v0.31.0-rc.3

v0.30.7

v0.31.0-rc.2

v0.31.0-rc.1

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.30.0-rc.5

v0.29.2

v0.30.0-rc.4

v0.30.0-rc.3

v0.30.0-rc.2

v0.29.1

v0.30.0-rc.1

v0.29.0

v0.28.2

v0.29.0-rc.11

v0.29.0-rc.10

v0.29.0-rc.9

v0.29.0-rc.8

v0.29.0-rc.7

v0.29.0-rc.6

v0.29.0-rc.5

v0.29.0-rc.4

v0.29.0-rc.3

v0.29.0-rc.2

v0.29.0-rc.1

v0.28.1

v0.28.0

v0.28.0-rc.1

v0.27.0

v0.27.0-rc.2

v0.27.0-rc.1

Labels

Clear labels   

P0

Highest

  

P1

High

  

P2

Medium

  

P3

Low

  

good first issue

Good for newcomers

  

Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  

blocked

The issue or PR is blocked by something

  

bug

Something is not working

  

config

Configuration format update or breaking change

  

discussion

Talking about something in order to reach a decision or to exchange ideas

  

documentation

Documentation related

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

go

Language features adoption

  

help wanted

Extra attention is needed

  

internal

  

invalid

Something is wrong

  

kludge

This is a kludge and we know it

  

observability

Related to metrics, tracing and logs

  

perfomance

Perfomance related

  

question

More information is needed

  

refactoring

Refactoring

  

wontfix

This won't be fixed

No labels

P0

P1

P2

P3

good first issue

Infrastructure

blocked

bug

config

discussion

documentation

duplicate

enhancement

go

help wanted

internal

invalid

kludge

observability

perfomance

question

refactoring

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#316

No description provided.