Skip to content

sts: test tenant role permissions against bucket acls #703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

sts: test tenant role permissions against bucket acls #703

wants to merge 2 commits into from

Conversation

@cbodley
Copy link
Contributor

@cbodley cbodley commented Oct 28, 2025

without any matching identity policy, test that an assumed role inherits acl-based permissions on the assuming user

test cases for ceph/ceph#66078

@cbodley cbodley mentioned this pull request Oct 28, 2025
Open
cbodley
cbodley commented Oct 29, 2025
View reviewed changes
pritha-srivastava
pritha-srivastava reviewed Oct 30, 2025
View reviewed changes
s3tests/functional/test_sts.py

# access allowed from role assumed by alt user
s3_client.get_bucket_location(Bucket=bucket_name)

Copy link
Contributor

@pritha-srivastava pritha-srivastava Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cbodley : should we add a test that has no role/session policy and no acl grant also for a non-owner and check if access is actually denied

Copy link
Contributor Author

@cbodley cbodley Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test_assume_role_owner_deny() above tests the non-owner case with no policy

edit: renamed to test_assume_role_nonowner_deny

cbodley
cbodley commented Oct 30, 2025
View reviewed changes
s3tests/functional/test_sts.py Outdated
Comment on lines 1084 to 1086
# GetObject for nonexistent object should be denied by session policy
e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-1.txt")
assert (403, 'AccessDenied') == _get_status_and_error_code(e.response)
Copy link
Contributor Author

@cbodley cbodley Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://qa-proxy.ceph.com/teuthology/cbodley-2025-10-29_16:55:02-rgw-wip-73659-distro-default-gibba/8575121/teuthology.log shows both of these get_object() calls succeeding, so i assume the tests are reusing the same bucket/object as other tests

cbodley
cbodley commented Oct 30, 2025
View reviewed changes
s3tests/functional/test_sts.py Outdated
Comment on lines 1159 to 1161
# GetObject for nonexistent object should be allowed by bucket policy
e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-session-arn.txt")
assert (404, 'NoSuchKey') == _get_status_and_error_code(e.response)
Copy link
Contributor Author

@cbodley cbodley Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from https://qa-proxy.ceph.com/teuthology/cbodley-2025-10-30_13:41:08-rgw:sts-wip-73659-distro-default-gibba/8576808/teuthology.log

        # GetObject for nonexistent object should be allowed by bucket policy
        e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-session-arn.txt")
>       assert (404, 'NoSuchKey') == _get_status_and_error_code(e.response)
E       AssertionError: assert (404, 'NoSuchKey') == (403, 'AccessDenied')

oops, 404 vs 403 is controlled by s3:ListBucket permissions: https://github.com/ceph/ceph/blob/7cb26500b8/src/rgw/rgw_op.cc#L474-L479

Copy link
Contributor Author

@cbodley cbodley Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ended up going with a different strategy to avoid object acls - i replaced the object operations GetObject/PutObject with bucket operations GetBucketLocation/ListBucket. because the policy resources accept both bucket- and object ARNs, this should provide the same test coverage for interactions between bucket/role/session policies

i finally got a successful run of rgw/sts with this change in https://pulpito.ceph.com/cbodley-2025-10-30_15:23:25-rgw:sts-wip-73659-distro-default-gibba/

@cbodley
sts: test tenant role permissions against bucket acls
24ca1ac 
without any matching identity policy, test that an assumed role
inherits acl-based permissions on the assuming user

Signed-off-by: Casey Bodley <[email protected]>
@cbodley
sts: session policy tests bucket ops to avoid object acls
3a6b20b 
when testing interactions between bucket/role/session policy, avoid
PutObject because it creates object acls that grant GetObject permission

replace PutObject with ListBucket, and GetObject with GetBucketLocation
to test the same policy interactions

Signed-off-by: Casey Bodley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pritha-srivastava pritha-srivastava pritha-srivastava approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbodley @pritha-srivastava