Actions
Bug #70191
openCreateMultipartUpload evaluates bucket policy with bucket Resource instead of object
% Done:
0%
Source:
Backport:
reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Tags (freeform):
s3 iam multipart backport_processed
Merge Commit:
Fixed In:
v20.0.0-154-g3d80385e87
Released In:
v20.2.0~927
Upkeep Timestamp:
2025-11-01T01:00:21+00:00
Description
https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions has the same text for CreateMultipart and CompleteMultipart:
You must be allowed to perform the s3:PutObject action on an object
for both RGWPutObj and RGWCompleteMultipart, we match the policy's Resource against an object arn like "arn:aws:s3:::testbucket/testobject":
if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
rgw::IAM::s3PutObject)) {
but for RGWInitMultipart, we use the bucket arn "arn:aws:s3:::testbucket":
if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
as a result, policy like this will deny CreateMultipartUpload requests:
{
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::testbucket/*"
}
Updated by Casey Bodley about 1 year ago
- Status changed from New to Fix Under Review
- Assignee set to Casey Bodley
- Backport set to reef squid
- Pull request ID set to 62020
Updated by Casey Bodley about 1 year ago
- Status changed from Fix Under Review to Pending Backport
Updated by Upkeep Bot about 1 year ago
- Copied to Backport #70340: squid: CreateMultipartUpload evaluates bucket policy with bucket Resource instead of object added
Updated by Upkeep Bot about 1 year ago
- Copied to Backport #70341: reef: CreateMultipartUpload evaluates bucket policy with bucket Resource instead of object added
Updated by Upkeep Bot about 1 year ago
- Tags (freeform) changed from s3 iam multipart to s3 iam multipart backport_processed
Updated by Upkeep Bot 10 months ago
- Merge Commit set to 3d80385e874d672e0942645e41ee6c23a058d38e
- Fixed In set to v20.0.0-154-g3d80385e874
- Upkeep Timestamp set to 2025-07-08T18:07:16+00:00
Updated by Upkeep Bot 10 months ago
- Fixed In changed from v20.0.0-154-g3d80385e874 to v20.0.0-154-g3d80385e874d
- Upkeep Timestamp changed from 2025-07-08T18:07:16+00:00 to 2025-07-14T15:21:44+00:00
Updated by Upkeep Bot 10 months ago
- Fixed In changed from v20.0.0-154-g3d80385e874d to v20.0.0-154-g3d80385e87
- Upkeep Timestamp changed from 2025-07-14T15:21:44+00:00 to 2025-07-14T20:46:13+00:00
Updated by Upkeep Bot 6 months ago
- Released In set to v20.2.0~927
- Upkeep Timestamp changed from 2025-07-14T20:46:13+00:00 to 2025-11-01T01:00:21+00:00
Actions