nspcc-dev/neofs-s3-gw
1
0
Fork 0
mirror of https://github.com/nspcc-dev/neofs-s3-gw.git synced 2026-03-01 04:29:15 +00:00
Code Issues 24 Projects Packages Wiki Activity

aws s3api list-objects might list objects in bucket owned by different credentials for a short period of time #335

New issue
Closed
opened 2025-12-28 17:37:02 +00:00 by sami · 2 comments
sami commented 2025-12-28 17:37:02 +00:00
Owner
Copy link

Originally created by @lesnya on GitHub (Sep 22, 2022).

Originally assigned to: @KirillovDenis on GitHub.

Steps to reproduce:

  1. Create two different wallets (let's say wallet_user1.json and wallet_user2.json).
  2. Issue two sets of s3 keys by neofs-s3-authmate issue-secret - one for wallet_user1.json and another one for wallet_user2.json
  3. Configure two aws clients using these two different sets of s3 keys.
  4. Create bucket using user1's aws credentials:
    aws --no-verify-ssl s3api create-bucket --bucket acl-test-user1 --endpoint-url http://node1.neofs:8084
  5. List objects in this bucket using user2's aws credentials from another terminal - an error should be received as an output. This is expected behaviour.
    aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://172.19.17.229:8084 An error occurred (InternalError) when calling the ListObjects operation (reached max retries: 2): failed to get sub tree: rpc error: code = Unknown desc = bearer token must be signed by the container owner
  6. Put any object in this bucket using user1's aws credentials:
    aws --no-verify-ssl s3api put-object --bucket acl-test-user1 --key user1-owner-data --body /tmp/data.txt --endpoint-url http://node1.neofs:8084
  7. List objects in this bucket using user1's aws credentials:
    aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://node1.neofs:8084
  8. Immediately after, list objects in this bucket using user2's aws credentials from another terminal:
    aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://172.19.17.229:8084
  9. This time command will return the list of objects for this owned by user1's bucket, although it was executed from user2's credentials.
  10. You can re-run command above multiple times - each time it will return the list of objects.
  11. This behaviour will persist for about 10-16 seconds.
  12. After this period of time the command will start getting an error from step 5 again, as expected.
  13. You can go and repeat all steps starting from step 6 to reproduce the issue.

NOTE:
a) If you skip step 7, command in step 8 will return an error, as it should.
b) If use any other endpoint in command from step 8, it will return an error, too.

Cache?

Originally created by @lesnya on GitHub (Sep 22, 2022). Originally assigned to: @KirillovDenis on GitHub. Steps to reproduce: 1. Create two different wallets (let's say wallet_user1.json and wallet_user2.json). 2. Issue two sets of s3 keys by neofs-s3-authmate issue-secret - one for wallet_user1.json and another one for wallet_user2.json 3. Configure two aws clients using these two different sets of s3 keys. 4. Create bucket using user1's aws credentials: `aws --no-verify-ssl s3api create-bucket --bucket acl-test-user1 --endpoint-url http://node1.neofs:8084` 5. List objects in this bucket using user2's aws credentials from another terminal - an error should be received as an output. This is expected behaviour. `aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://172.19.17.229:8084 An error occurred (InternalError) when calling the ListObjects operation (reached max retries: 2): failed to get sub tree: rpc error: code = Unknown desc = bearer token must be signed by the container owner` 6. Put any object in this bucket using user1's aws credentials: `aws --no-verify-ssl s3api put-object --bucket acl-test-user1 --key user1-owner-data --body /tmp/data.txt --endpoint-url http://node1.neofs:8084` 7. List objects in this bucket using user1's aws credentials: `aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://node1.neofs:8084` 8. Immediately after, list objects in this bucket using user2's aws credentials from another terminal: `aws --no-verify-ssl s3api list-objects --bucket acl-test-user1 --endpoint-url http://172.19.17.229:8084` 9. This time command will return the list of objects for this owned by user1's bucket, although it was executed from user2's credentials. 10. You can re-run command above multiple times - each time it will return the list of objects. 11. This behaviour will persist for about 10-16 seconds. 12. After this period of time the command will start getting an error from step 5 again, as expected. 13. You can go and repeat all steps starting from step 6 to reproduce the issue. NOTE: a) If you skip step 7, command in step 8 will return an error, as it should. b) If use any other endpoint in command from step 8, it will return an error, too. Cache?
sami 2025-12-28 17:37:02 +00:00
sami commented 2025-12-28 17:37:03 +00:00
Author
Owner
Copy link

@KirillovDenis commented on GitHub (Sep 23, 2022):

Cache?

Yes

@KirillovDenis commented on GitHub (Sep 23, 2022): > Cache? Yes
sami commented 2025-12-28 17:37:03 +00:00
Author
Owner
Copy link

@alexvanin commented on GitHub (Oct 3, 2022):

To solve this issue we need to introduce access control cache. This LRU cache should store successful or unsuccessful attempts to receive the data from storage, considering access control errors. This cache should evict values whithin configured timeout, because access control rules may change over time, so we want to drop cache data over time.

@alexvanin commented on GitHub (Oct 3, 2022): To solve this issue we need to introduce access control cache. This LRU cache should store successful or unsuccessful attempts to receive the data from storage, considering access control errors. This cache should evict values whithin configured timeout, because access control rules may change over time, so we want to drop cache data over time.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
1255-session-token-v2
new-get
logger
experimental/unsigned-responses
experimental/get-perf
debugprint
ezayats/bump-s3-tests
955-after-a-parallel-deletion-of-versioned-objects-list-objects-returns-info-about-them
v0.42.0
v0.41.5
v0.41.4
v0.41.3
v0.41.2
v0.41.1
v0.41.0
v0.40.0
v0.39.0
v0.38.0
v0.37.0
v0.36.1
v0.36.0
v0.35.0
v0.34.1
v0.34.0
v0.33.0
v0.32.0
v0.31.1
v0.31.0
v0.30.1
v0.30.0
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.1
v0.26.0
v0.25.1
v0.25.0
v0.24.0
v0.23.0
v0.22.0
v0.21.1
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.0
v0.17.0-rc.1
v0.16.0
v0.15.1-pre
v0.15.0
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0-rc.3
v0.12.0-rc.2
v0.12.0-rc.1
Labels
Clear labels   
I2

   
I2

   
I3

   
I4

   
S2

   
S3

   
S4

   
S4

   
U0

   
U1

   
U2

   
U2

   
U3

   
U4

   
U4

   
auth-mate

   
blocked

   
bug

   
config

   
dependencies

   
discussion

   
documentation

   
enhancement

   
epic

   
feature

   
go

   
good first issue

   
help wanted

   
performance

   
question

   
security

   
test

   
tree-service

   
tree-service
No labels
I2
I2
I3
I4
S2
S3
S4
S4
U0
U1
U2
U2
U3
U4
U4
auth-mate
blocked
bug
config
dependencies
discussion
documentation
enhancement
epic
feature
go
good first issue
help wanted
performance
question
security
test
tree-service
tree-service
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nspcc-dev/neofs-s3-gw#335
No description provided.