rkozello opened a new issue, #12173: URL: https://github.com/apache/cloudstack/issues/12173
### problem When account A deletes MinIO bucket from CloudStack web UI, MinIO policy for special MinIO user access to this bucket remains intact. If (when) account B creates bucket with the same name, account A may get access to it using saved Access+Secret Keys and any S3 utility. Remediation: delete MinIO policy providing access to specific bucket on bucket deletion. ### versions CloudStack v 4.22 ### The steps to reproduce the bug 1. Login to web UI as user/account A 2. Create S3 bucket 'test' 3. Save access credentials (Access Key, Secret Key, URL without final bucket path) 4. Delete bucket 'test' 5. Login to web UI as user/account B 6. Create S3 bucket 'test' 7. Using bucket browser, upload some file to bucket 8. Create mc alias for user A as 'mc alias set userA-test $URL $Access_Key $Secret_Key' 9. Check bucket contents 'mc ls userA-test/test' ... ### What to do about it? Modify code to delete access policy on bucket deleteion -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
