Project

General

Profile

Actions
Copy link

Bug #67464

closed

iam policy cannot grant access to tenanted buckets

Added by Casey Bodley over 1 year ago. Updated 4 months ago.

Status:
Resolved
Priority:
High
Assignee:
Casey Bodley
Target version:
-
% Done:

0%

Source:
Backport:
squid
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
59169
Tags (freeform):
iam tenant backport_processed
Merge Commit:
5000b233c1f0eeba8ff6c4fed92b2f912ffc071d
Fixed In:
v19.3.0-4262-g5000b233c1
Released In:
v20.2.0~2231
Upkeep Timestamp:
2025-11-01T01:35:51+00:00

Description

handling of bucket ARNs changed with iam account support, breaking some tenant/cross-tenant policy that wasn't covered in testing

for example, when a user in tenant1 creates a bucket and attaches policy to allow access for all principals:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {"AWS": "*"},
         "Action": "s3:*",
         "Resource": "arn:aws:s3:::*" 
      }
   ]
}

access to that bucket by a user in tenant2 is still rejected by bucket policy. as pointed out by @Pritha Srivastava, the policy's Resource ARN does not include the tenant name, but the ARN of the requested resource passed into policy evaluation does

Related issues 1 (0 open1 closed)

Copied to rgw - Backport #67554: squid: iam policy cannot grant access to tenanted bucketsResolvedCasey BodleyActions
Actions
Copy link
 #1

Updated by Casey Bodley over 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Pritha Srivastava
  • Backport set to squid
  • Pull request ID set to 59113
Actions
Copy link
 #2

Updated by Casey Bodley over 1 year ago

  • Pull request ID changed from 59113 to 59169
Actions
Copy link
 #3

Updated by Casey Bodley over 1 year ago

  • Status changed from In Progress to Pending Backport
  • Assignee changed from Pritha Srivastava to Casey Bodley
Actions
Copy link
 #4

Updated by Upkeep Bot over 1 year ago

  • Copied to Backport #67554: squid: iam policy cannot grant access to tenanted buckets added
Actions
Copy link
 #5

Updated by Upkeep Bot over 1 year ago

  • Tags (freeform) changed from iam tenant to iam tenant backport_processed
Actions
Copy link
 #6

Updated by Upkeep Bot 8 months ago

  • Status changed from Pending Backport to Resolved
  • Upkeep Timestamp set to 2025-07-08T18:13:24+00:00
Actions
Copy link
 #7

Updated by Upkeep Bot 7 months ago

  • Merge Commit set to 5000b233c1f0eeba8ff6c4fed92b2f912ffc071d
  • Fixed In set to v19.3.0-4262-g5000b233c1
  • Upkeep Timestamp changed from 2025-07-08T18:13:24+00:00 to 2025-08-02T04:50:23+00:00
Actions
Copy link
 #8

Updated by Upkeep Bot 4 months ago

  • Released In set to v20.2.0~2231
  • Upkeep Timestamp changed from 2025-08-02T04:50:23+00:00 to 2025-11-01T01:35:51+00:00
Actions
Copy link

Also available in: Atom PDF