git-server-git.apps.pok.os.sepia.ceph.com Git

author	Matthew Oliver <moliver@suse.com>
	Wed, 26 Feb 2020 06:15:22 +0000 (06:15 +0000)
committer	Nathan Cutler <ncutler@suse.com>
	Wed, 13 May 2020 15:32:00 +0000 (17:32 +0200)
commit	c99f33b68041b8a34764cf1a45e4d6772aa84a41
tree	5fbefd6666c6e3e1f1832725adfd5df0493d5814	tree \| snapshot
parent	db151dc1f731bf8e420b74bd534e9c9e876069a1	commit \| diff

rgw: anonomous swift to obj that dont exist should 401

Currently, if you attempt to GET and object in the Swift API that
doesn't exist and you don't pass a `X-Auth-Token` it will 404 instead of
401.

This is actually a rather big problem as it means someone can leak data
out of the cluster, not object data itself, but if an object exists or
not.

This is caused by the SwiftAnonymousEngine's, frankly wide open
is_applicable acceptance. When we get to checking the bucket or object
for user acceptance we deal with it properly, but if the object doesn't
exsit, because the user has been "authorised" rgw returns a 404.

Why? Because we always override the user with the Swift account.
Meaning as far as checks are concerned the auth user is the user, not
and anonymous user.

I assume this is because a swift container could have world readable
reads or writes and in slight s3 and swift api divergents can make these
interesting edge cases leak in.

This patch doesn't change the user to the swift account if they are
anonymous. So we can do some anonymous checks when it suits later in the
request processing path.

Fixes: https://tracker.ceph.com/issues/43617
Signed-off-by: Matthew Oliver <moliver@suse.com>
(cherry picked from commit b03d9754e113d24221f1ce0bac17556ab0017a8a)

Conflicts:
src/rgw/rgw_swift_auth.h
- where master has "rgw_user(s->account_name)", nautilus has
"s->account_name" only

src/rgw/rgw_auth.h		diff \| blob \| history
src/rgw/rgw_op.cc		diff \| blob \| history
src/rgw/rgw_swift_auth.h		diff \| blob \| history