Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NC | Multi Protocol Access | If there is an object inside the bucket directory with a conflicting ownership (other than account owner), list objects throws access denied #8735

Open
anandhu-karattu opened this issue Jan 29, 2025 · 0 comments
Open

NC | Multi Protocol Access | If there is an object inside the bucket directory with a conflicting ownership (other than account owner), list objects throws access denied #8735

anandhu-karattu opened this issue Jan 29, 2025 · 0 comments
Assignees
@naveenpaul1
Labels
NS-FS

Comments

@anandhu-karattu
Copy link

Environment info

  • NooBaa Version: noobaa-core-5.18.0-20250125.el9.x86_64
  • Platform: Standalone noobaa

Actual behavior

  1. If there is an object inside the bucket directory with a conflicting ownership (other than account owner), the entire bucket will become access denied.

Expected behavior

  1. Ideally if the user tries to list the bucket via AWScli, the bucket owner should be able to list all the objects inside the bucket directory which he has ownership. In multi protocol scenario, same directory can be used as s3 bucket directory or smb/nfs share. Thus if the files created inside the directory might have a different UID:GID than s3 account owner.

Will explain in detail in next section

Steps to reproduce

1.Create a bucket and upload two objects in to it. Account owner is 10000:10000

[root@5221new-11 bucket001]# pwd
/mnt/gpfs0/account001/bucket001

[root@5221new-11 bucket001]# ls -lrt
total 10248
-rw-rw----. 1 10000 10000 10485760 Jan 29 06:23 10MB_file.bin
-rw-rw----. 1 10000 10000        5 Jan 29 06:24 abcd.txt

Able to list the objects successfully via AWScli

[root@akarattuparambil-scale-host ~]# account001 s3 ls s3://bucket001 2>/dev/null
2025-01-29 06:23:53   10485760 10MB_file.bin
2025-01-29 06:24:15          5 abcd.txt
  1. Create another object inside the bucket with a different user. This is possible since the same directory can be used for NFS/SMB as well.
[root@5221new-11 bucket001]# touch test.txt ; chmod 660 test.txt; ls -lrt
total 10248
-rw-rw----. 1 10000 10000 10485760 Jan 29 06:23 10MB_file.bin
-rw-rw----. 1 10000 10000        5 Jan 29 06:24 abcd.txt
-rw-rw----. 1 root  root         0 Jan 29 09:37 test.txt   ---> Different owner. Might be from an NFS user
  1. Now the bucket is inaccessible.
[root@akarattuparambil-scale-host ~]# account001 s3 ls s3://bucket001
urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host '5221new-11'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

More information - Screenshots / Logs / Other output
@naveenpaul1 naveenpaul1 mentioned this issue Jan 29, 2025
Closed
@romayalon romayalon changed the title If there is an object inside the bucket directory with a conflicting ownership (other than account owner), the entire bucket will become access denied. NC | Multi Protocol Access | If there is an object inside the bucket directory with a conflicting ownership (other than account owner), list objects throws access denied Jan 29, 2025
@naveenpaul1 naveenpaul1 self-assigned this Jan 30, 2025
@naveenpaul1 naveenpaul1 mentioned this issue Feb 3, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naveenpaul1 naveenpaul1

Labels
NS-FS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@naveenpaul1 @anandhu-karattu