cloudserver
cloudserver copied to clipboard
scality
Unable to DELETE public object from public bucket without authorization.
To test some functionality I need to have a bucket with full-control for any user to be able to delete and put objects without authorization. I use AWS CLI with authorization to create public-read-write bucket then do PUT and DELETE object without authorization via another client. PUT - successful, DELETE - AccessDenied. Also, the same situation when I create bucket and object with acl public-read-write via AWS CLI (authorized) and try to delete via an unauthorized client(postman).
Fault reproducing:
- Created a bucket with acl public-read-write.
aws s3api create-bucket --acl=public-read-write --bucket=12345 --endpoint=http://localhost:8000 --region=us-east-1"
- Create an object with acl public-read-write.
aws s3api put-object --acl=public-read-write --bucket=12345 --key=99 --endpoint=http://localhost:8000 --region=us-east-1
- Try to delete object '99' via postman or another client without authorization:
{"name":"S3","bucketName":"12345","objectKey":"99","bytesReceived":0,"bodyLength":0,"time":1525417843459,"req_id":"5eb2568f2f4e8a6308a8","level":"debug","message":"operation not available for public user","hostname":"lwo1-lhp-f71264","pid":104}
{"name":"S3","bucketName":"12345","objectKey":"99","bytesReceived":0,"bodyLength":0,"errCode":{"code":403,"description":"Access Denied","AccessDenied":true},"time":1525417843459,"req_id":"5eb2568f2f4e8a6308a8","level":"trace","message":"sending error xml response","hostname":"lwo1-lhp-f71264","pid":104}
{"name":"S3","bucketName":"12345","objectKey":"99","bytesReceived":0,"bodyLength":0,"bytesSent":174,"clientIP":"::1","clientPort":60148,"httpMethod":"DELETE","httpURL":"/99","httpCode":403,"time":1525417843459,"req_id":"5eb2568f2f4e8a6308a8","elapsed_ms":0.978266,"level":"info","message":"responded with error XML","hostname":"lwo1-lhp-f71264","pid":104}
This is actually inline with AWS' S3 behavior. Since the object is owned by the user who created it, the public user cannot delete it.
Hi. Here https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#permissions I found: Amazon S3 Predefined Groups .... All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers.
All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone in the world access to the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.
Also in chapter Canned ACL: ...
| Canned ACL | Applies to | Permissions added to ACL |
|---|---|---|
| private | Bucket and object | Owner gets FULL_CONTROL. No one else has access rights (default). |
| public-read | Bucket and object | Owner gets FULL_CONTROL. The AllUsers group (see Who Is a Grantee?) gets READ access. |
| public-read-write | Bucket and object | Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. Granting this on a bucket is generally not recommended. |
... As I've understood this means that I can grant WRITE permission (using ACL = 'public-read-write' or grant WRITE permissions to All Users group) to a non-authenticated(public) user, and this user can delete the object in a bucket in real AWS.
Could you please provide me some documentation where is mentioned that this behavior is inline with AWS' S3? Thank you.
Sorry for the delayed response. I have tested this with AWS - client should be able to delete an object set with public-read-write ACL. I will push a fix for this.
If you need a fix before that here's the conditional that you can remove to get through https://github.com/scality/S3/blob/development/8.0/lib/api/objectDelete.js#L25