NC | NSFS | Bucket Policy Should Be Managed Only by Bucket Owner

[shirady]

Environment info

• NooBaa Version: master (5.18)
• Platform: NC

Actual behavior

1. A user with a bucket policy (to all actions) can add or remove a policy although he is not the owner.

Expected behavior

1. Only the owner can add or remove the bucket policy, as I understand it from the docs (see AWS docs):

Only the bucket owner can associate a policy with a bucket.

Steps to reproduce

Create 2 accounts and give the account2 bucket policy full access. Then, try to put the bucket policy by account2 and remove the bucket policy.

1. Create account1 with the CLI: sudo node src/cmd/manage_nsfs account add --name shira-1001 --new_buckets_path /tmp/nsfs_root1 --access_key <access-key> --secret_key <secret-key> --uid <uid> --gid <gid>
   Create account2 with the CLI: sudo node src/cmd/manage_nsfs account add --name shira-1002 --new_buckets_path /tmp/nsfs_root2 --access_key <access-key> --secret_key <secret-key> --uid <uid> --gid <gid>
   Note: before creating the account need to give permission to the new_buckets_path: chmod 777 /tmp/nsfs_root2.
2. Create a bucket owned by account1 with the CLI: sudo node src/cmd/manage_nsfs bucket add --name my-bucket --path /tmp/nsfs_root1/my-bucket --owner shira-1001
3. Start the NSFS server with: sudo node src/cmd/nsfs --debug 5
   Notes:

• Before starting the server please add this line: process.env.NOOBAA_LOG_LEVEL = 'nsfs'; in the endpoint.js (before the condition if (process.env.NOOBAA_LOG_LEVEL) {)
• I Change the config.NSFS_CHECK_BUCKET_BOUNDARIES = false; //SDSD because I'm using the /tmp/ and not /private/tmp/.

4. Create the alias for S3 service: alias nc-user-1-s3='AWS_ACCESS_KEY_ID=<access-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:6443'.
   alias nc-user-2-s3='AWS_ACCESS_KEY_ID=<access-key> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:6443'.
5. Check that the bucket cannot be seen by account2: nc-user-2-s3 s3 ls
6. Put bucket policy on the bucket by account1: nc-user-1-s3 s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
   policy.json:

{
  "Version": "2012-10-17",
  "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { "AWS": [ "shira-1002" ] }, 
     "Action": [ "s3:*" ], 
     "Resource": [ "arn:aws:s3:::my-bucket/*", "arn:aws:s3:::my-bucket" ] 
    }
  ]
}

6. Check that the bucket can be seen by account2: nc-user-2-s3 s3 ls
7. Put bucket policy and delete by account2 (this should not be allowed): nc-user-2-s3 s3api put-bucket-policy --bucket my-bucket --policy file://policy.json, remove the bucket policy by account 2: nc-user-2-s3 s3api delete-bucket-policy --bucket my-bucket

More information - Screenshots / Logs / Other output

[romayalon]

@shirady have you tried it against AWS?

[shirady]

@romayalon, today I tried it with Sagi:
I create a bucket (shira-bucket) and put a single object in it (hello.txt).
I added a bucket policy with permission to do all s3 actions on the bucket and the bucket's objects (I removed the ARN from this printing):

{
  "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Principal": { "AWS": [ "ARN-of-user-in-different-account" ] },
     "Action": [ "s3:*" ],
     "Resource": [ "arn:aws:s3:::shira-bucket/*",
     "arn:aws:s3:::shira-bucket" ]
    }
  ]
}

Summary

1. He could list the objects in the bucket, get the object, and put another object (as expected).
2. I saw an error on get, put, and delete bucket operations - all of them with MethodNotAllowed (what we were curious about, I attached the output).
3. (interesting, but not related to this issue): He could not see the bucket in his bucket list - we tried to list and grep the bucket name, we listed and counted the buckets and saw it is the same number as AWS console, I read in the AWS CLI docs that "The list of buckets owned by the requester" so the AWS output is expected - but it is not the same as NC list buckets).
4. He could delete all the objects and delete the bucket (as expected).

Bucket policy actions output:

$ aws s3api get-bucket-policy --bucket shira-bucket
An error occurred (MethodNotAllowed) when calling the GetBucketPolicy operation: The specified method is not allowed against this resource.

$ aws s3api put-bucket-policy --bucket shira-bucket --policy # same policy as mentioned above
An error occurred (MethodNotAllowed) when calling the PutBucketPolicy operation: The specified method is not allowed against this resource.

$ aws s3api delete-bucket-policy --bucket shira-bucket
An error occurred (MethodNotAllowed) when calling the DeleteBucketPolicy operation: The specified method is not allowed against this resource.

Thanks @@sagihirshfeld

[shirady]

@romayalon, I will share what I saw in the containerized deployment.
In short: an account that received bucket policy with all actions could execute bucket policy actions: get-bucket-policy, put-bucket-policy, delete-bucket-policy.

Testing Details:

1. I deployed noobaa system on Rancher Desktop (see guide).
   Notes:

• nb is an alias that runs the local operator from build/_output/bin (alias created by devenv).
• I deployed it on namespace test1.

2. I'm using port-forward: kubectl port-forward -n test1 service/s3 12443:443
3. Create the alias for the admin: alias s3-nb-admin='AWS_ACCESS_KEY_ID=<access-key-id> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:12443' (the access key id and secret key where copied from nb status --show_secrets "S3 Credentials" part).
4. I checked that the admin account has the first bucket: s3-nb-admin s3 ls; echo $? (see the first.bucket and return code 0).
5. I created 2 accounts:

• nb account create user1 -n test1 --allow_bucket_create=false
• nb account create user2 -n test1 --allow_bucket_create=true

6. Created alias for the accounts:

• alias s3-nb-user-1='AWS_ACCESS_KEY_ID=<access-key-id> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:12443 (the credentials where taken from nb account status user1 -n test1 --show-secrets)
• alias s3-nb-user-2='AWS_ACCESS_KEY_ID=<access-key-id> AWS_SECRET_ACCESS_KEY=<secret-key> aws --no-verify-ssl --endpoint-url https://localhost:12443 (the credentials where taken from nb account status user2 -n test1 --show-secrets)

7. Both accounts could see the first.bucket: s3-nb-user-1 s3 ls; echo $?; s3-nb-user-2 s3 ls; echo $?.
8. Account user2 created a bucket and put object in it:

• s3-nb-user-2 s3 mb s3://bucket-user-2
• s3-nb-user-2 s3api put-object --bucket bucket-user-2 --key hello_world

9. Account user1 tries to put object in the bucket (should fail): s3-nb-user-1 s3api put-object --bucket bucket-user-2 --key hello_world2 (it failed with: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied).
10. Account user2 put bucket policy with access to account user1: s3-nb-user-2 s3api put-bucket-policy --bucket bucket-user-2 --policy file://policy_by_name.json
    file policy_by_name.json:

{
  "Version": "2012-10-17",
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Principal": { "AWS":  "user1" }, 
      "Action": [ "s3:*" ], 
      "Resource": [ "arn:aws:s3:::bucket-user-2/*", 
      "arn:aws:s3:::bucket-user-2" ] 
    }
  ]
}

11. Account user2 get bucket policy: s3-nb-user-2 s3api get-bucket-policy --bucket bucket-user-2.
    output: { "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::bucket-user-2/*\",\"arn:aws:s3:::bucket-user-2\"],\"Principal\":{\"AWS\":\"user1\"}}]}" }
12. Account user1 put an object (should succeed): s3-nb-user-1 s3api put-object --bucket bucket-user-2 --key hello_world3
13. Account user1 gets bucket policy (as mentioned in the comment below I think it should not succeed): s3-nb-user-1 s3api get-bucket-policy --bucket bucket-user-2, output: { "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::bucket-user-2/*\",\"arn:aws:s3:::bucket-user-2\"],\"Principal\":{\"AWS\":\"user1\"}}]}" }
14. Account user1 updates bucket policy (as mentioned in the comment below I think it should not succeed): s3-nb-user-1 s3api put-bucket-policy --bucket bucket-user-2 --policy file://policy_to_all_principals.json
    file policy_to_all_principals.json:

{
  "Version": "2012-10-17",
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Principal": { "AWS":  "*" }, 
      "Action": [ "s3:*" ], 
      "Resource": [ "arn:aws:s3:::bucket-user-2/*", 
      "arn:aws:s3:::bucket-user-2" ] 
    }
  ]
}

15. Account user1 gets bucket policy (as mentioned in the comment below I think it should not succeed): s3-nb-user-1 s3api get-bucket-policy --bucket bucket-user-2
    output:
    { "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::bucket-user-2/*\",\"arn:aws:s3:::bucket-user-2\"],\"Principal\":{\"AWS\":\"*\"}}]}" }
    Note: notice that account user1 changed the principals in the bucket policy.
16. Account user1 deletes bucket policy: s3-nb-user-1 s3api delete-bucket-policy --bucket bucket-user-2.
17. Account user2 tries to get the bucket policy (will fail): s3-nb-user-2 s3api get-bucket-policy --bucket bucket-user-2, fails with: An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The specified bucket does not have a bucket policy..