BucketPolicy: add test for sse-c in conditions#574
Conversation
Ref. ceph/ceph#58689 Signed-off-by: Seena Fallah <seenafallah@gmail.com>
| deny_incorrect_algo = { | ||
| "StringNotEquals": { | ||
| "s3:x-amz-server-side-encryption-customer-algorithm": "AES256" | ||
| } | ||
| } | ||
|
|
||
| deny_unencrypted_obj = { | ||
| "Null" : { | ||
| "s3:x-amz-server-side-encryption-customer-algorithm": "true" |
There was a problem hiding this comment.
is this first condition relevant to the test? it looks like the check_access_denied part only depends on the second
There was a problem hiding this comment.
That's my confusion part as well... Apparantly the stringNotEqual doesn't deny if the header is not specified at all (IIRC same for sse-s3) and the string match happens when it's there (but the only option is AES256). Maybe I can decouple it via status code 403 vs 400.
There was a problem hiding this comment.
i guess that's the difference between StringNotEquals and StringNotEqualsIfExists? from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IfExists
If you are using an "Effect": "Deny" element with a negated condition operator like StringNotEqualsIfExists, the request is still denied even if the tag is missing.
for the purposes of testing ceph/ceph#58689, i tend to think the Null condition is sufficient to verify that we understand that condition key. what do you think?
There was a problem hiding this comment.
@cbodley Can you please check my last commit? I guess this can cover the case to make sure the value is also respected by RGW. But if you think it's unnecessary I'll drop it. np.
…pted Signed-off-by: Seena Fallah <seenafallah@gmail.com>
|
cherry-picked to ceph-master |
Ref. ceph/ceph#58689