Project

General

Profile

Actions
Copy link

Bug #58167

open

No Authentication/Authorization for creating topics on RGW

Added by Ulrich Klein over 3 years ago. Updated 8 months ago.

Status:
Pending Backport
Priority:
High
Assignee:
Yuval Lifshitz
Target version:
-
% Done:

0%

Source:
Community (user)
Backport:
pacific quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v17.2.5
ceph-qa-suite:
Pull request ID:
49335
Tags (freeform):
Merge Commit:
b619fda9ee3e334ec7038f4c766a7e525f408d8f
Fixed In:
v18.0.0-2395-gb619fda9ee
Released In:
v18.2.0~495
Upkeep Timestamp:
2025-07-14T19:10:50+00:00

Description

I'm on a containerized Ceph 17.2.5 serving only RGW/S3 clients.

I'm experimenting with notifications for S3 buckets.
I got it working with notifications to HTTP endpoints.

What I did:

Create a topic:
$ cat create_topic.data
Action=CreateTopic
&Name=topictest2
&Attributes.entry.1.key=verify-ssl&Attributes.entry.1.value=false
&Attributes.entry.2.key=use-ssl&Attributes.entry.2.value=false
&Attributes.entry.3.key=OpaqueData&Attributes.entry.3.value=Hallodrio
&Attributes.entry.4.key=push-endpoint&Attributes.entry.4.value=http://helper.example.com/cgi-bin/topictest
&Attributes.entry.5.key=persistent&Attributes.entry.5.value=false
&Attributes.entry.6.key=cloudevents&Attributes.entry.6.value=false

$ curl -v --request POST 'https://rgw.example.com' --data @create_topic.data
<CreateTopicResponse xmlns="https://sns.amazonaws.com/doc/2010-03-31/&quot;&gt;&lt;CreateTopicResult&gt;&lt;TopicArn&gt;arn:aws:sns:&lt;zonegroup&gt;::topictest2&lt;/TopicArn&gt;&lt;/CreateTopicResult&gt;&lt;ResponseMetadata&gt;&lt;RequestId&gt;f0904533-f4ed-4d60-886c-4125fcbed97b.4944109.3169009808426767767&lt;/RequestId&gt;&lt;/ResponseMetadata&gt;&lt;/CreateTopicResponse>

And then created a notification for some user, which I received ok via http.

What surprised me:
There was no authentication/authorization necessary at all to create the topic!
Any <...> could create a million topics that way, probably a nice DoS attack.

There should be a way to prevent that from happening, e.g. at least to only allow authenticated users to create topics.

Related issues 2 (0 open2 closed)

Copied to rgw - Backport #58905: pacific: No Authentication/Authorization for creating topics on RGWRejectedYuval LifshitzActions
Copied to rgw - Backport #58906: quincy: No Authentication/Authorization for creating topics on RGWRejectedYuval LifshitzActions
Actions
Copy link
 #1

Updated by Yuval Lifshitz over 3 years ago

  • Tracker changed from Feature to Bug
  • Priority changed from Normal to High
  • Regression set to No
  • Severity set to 3 - minor
  • creating a topic by using curl without any user credential is a critical securuty issue.
  • since topics are global definitions, we should probably require special authorization for users that want ot create them
Actions
Copy link
 #2

Updated by Ulrich Klein over 3 years ago

In my example in the original comment the curl was run on a node inside the Ceph test cluster (of Apple M1 Max VMs).
I now tried a few more times to make sure it's not just something in the aarch64 env.

1. Run curl on a node inside the M1 Max cluster -> same result

2. Run curl on a node inside an x86 cluster -> same result

3. Run curl on a client outside the cluster (M1) -->
<Error><Code>MethodNotAllowed</Code><RequestId>tx00000ce1848ef805b079e-00638e225d-4b982b-max</RequestId><HostId>4b982b-max-maxzg</HostId></Error>

4. Run curl on a client outside the cluster (x64)--->
<Error><Code>MethodNotAllowed</Code><RequestId>tx0000047227d4836155e5f-00638e233f-a7053-zceph</RequestId><HostId>a7053-zceph-zcephzg</HostId></Error>

So, looks like the curl w/o authentication only works from inside the cluster, at least for me.

Actions
Copy link
 #3

Updated by lei cao over 3 years ago

https://github.com/ceph/ceph/pull/49297, i try a PR to avoid anonymous authentication when create topic.

Actions
Copy link
 #4

Updated by Casey Bodley over 3 years ago

  • Status changed from New to Fix Under Review
  • Backport set to pacific quincy
  • Pull request ID set to 49297
Actions
Copy link
 #5

Updated by Yuval Lifshitz over 3 years ago

  • Assignee set to Yuval Lifshitz
Actions
Copy link
 #6

Updated by Casey Bodley about 3 years ago

  • Pull request ID changed from 49297 to 49335
Actions
Copy link
 #7

Updated by Casey Bodley about 3 years ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #8

Updated by Upkeep Bot about 3 years ago

  • Copied to Backport #58905: pacific: No Authentication/Authorization for creating topics on RGW added
Actions
Copy link
 #9

Updated by Upkeep Bot about 3 years ago

  • Copied to Backport #58906: quincy: No Authentication/Authorization for creating topics on RGW added
Actions
Copy link
 #11

Updated by Casey Bodley over 2 years ago

@Yuval this is a high-priority bug fix, but we never backported it to pacific or quincy. could you please prepare those, or close the backport trackers as 'rejected' if you don't think they're needed?

Actions
Copy link
 #12

Updated by Upkeep Bot 9 months ago

  • Merge Commit set to b619fda9ee3e334ec7038f4c766a7e525f408d8f
  • Fixed In set to v18.0.0-2395-gb619fda9ee3
  • Released In set to v18.2.0~495
  • Upkeep Timestamp set to 2025-07-09T17:10:10+00:00
Actions
Copy link
 #13

Updated by Upkeep Bot 8 months ago

  • Fixed In changed from v18.0.0-2395-gb619fda9ee3 to v18.0.0-2395-gb619fda9ee
  • Upkeep Timestamp changed from 2025-07-09T17:10:10+00:00 to 2025-07-14T19:10:50+00:00
Actions
Copy link

Also available in: Atom PDF