sts: test cross-account role permissions against bucket acls#703
sts: test cross-account role permissions against bucket acls#703cbodley wants to merge 1 commit intoceph:masterfrom
Conversation
|
|
||
| # access allowed from role assumed by alt user | ||
| s3_client.get_bucket_location(Bucket=bucket_name) | ||
|
|
There was a problem hiding this comment.
@cbodley : should we add a test that has no role/session policy and no acl grant also for a non-owner and check if access is actually denied
There was a problem hiding this comment.
test_assume_role_owner_deny() above tests the non-owner case with no policy
edit: renamed to test_assume_role_nonowner_deny
| # GetObject for nonexistent object should be denied by session policy | ||
| e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-1.txt") | ||
| assert (403, 'AccessDenied') == _get_status_and_error_code(e.response) |
There was a problem hiding this comment.
https://qa-proxy.ceph.com/teuthology/cbodley-2025-10-29_16:55:02-rgw-wip-73659-distro-default-gibba/8575121/teuthology.log shows both of these get_object() calls succeeding, so i assume the tests are reusing the same bucket/object as other tests
| # GetObject for nonexistent object should be allowed by bucket policy | ||
| e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-session-arn.txt") | ||
| assert (404, 'NoSuchKey') == _get_status_and_error_code(e.response) |
There was a problem hiding this comment.
# GetObject for nonexistent object should be allowed by bucket policy
e = assert_raises(ClientError, s3_client.get_object, Bucket=bucket_name_1, Key="test-session-arn.txt")
> assert (404, 'NoSuchKey') == _get_status_and_error_code(e.response)
E AssertionError: assert (404, 'NoSuchKey') == (403, 'AccessDenied')
oops, 404 vs 403 is controlled by s3:ListBucket permissions: https://github.com/ceph/ceph/blob/7cb26500b8/src/rgw/rgw_op.cc#L474-L479
There was a problem hiding this comment.
ended up going with a different strategy to avoid object acls - i replaced the object operations GetObject/PutObject with bucket operations GetBucketLocation/ListBucket. because the policy resources accept both bucket- and object ARNs, this should provide the same test coverage for interactions between bucket/role/session policies
i finally got a successful run of rgw/sts with this change in https://pulpito.ceph.com/cbodley-2025-10-30_15:23:25-rgw:sts-wip-73659-distro-default-gibba/
cbodley
force-pushed
the
wip-73659
branch
2 times, most recently
from
ebf727c to
3a6b20b
Compare
Signed-off-by: Casey Bodley <cbodley@redhat.com>
cbodley
changed the title
|
existing as expected, the test case fails against main but passes with the RoleApplier changes from ceph/ceph#66078 |
2 participants
without any matching identity policy, test that an assumed role inherits acl-based permissions on the assuming user
test cases for ceph/ceph#66078