NVIDIA / aistore

AIStore: scalable storage for AI applications
https://aistore.nvidia.com
MIT License
1.26k stars 172 forks source link

Auth enabled but S3 API accept unauthenticated requests #189

Closed arnaudbriche closed 2 weeks ago

arnaudbriche commented 2 weeks ago

Is there an existing issue for this?

Describe the bug

Hi,

I have a docker deployment with authn enabled (deployed aistorage/authn). Whenever I used the ais cli to try to access some bucket without an auth token, I get rejected as expected. But when I use was cli to ls the same bucket (still without any auth token set in the Authorization header), my request is not rejected.

Is the s3 compact layer not protected by authn or I am missing something ?

Expected Behavior

The request is rejected when no auth hdr is set

Current Behavior

The request pass and returns data

Steps To Reproduce

Create a local deployment with docker and authn. Register the cluster with authn server.

Possible Solution

No response

Additional Information/Context

No response

AIStore build/version

version 3.24.rc4.b76efec7c (build: 2024-09-27T19:59:26+0000)

Environment details (OS name and version, etc.)

Ubuntu 24.O4 / docker

gaikwadabhishek commented 2 weeks ago

Hey @arnaudbriche,

We've fixed the missing authentication issue when accessing $(AIS_ENDPOINT)/s3. Please update to the latest build from Docker Hub: https://hub.docker.com/r/aistorage/aisnode/tags (use either the latest tag or v3.26-8b213ac).

Note: If you enable AUTH, the AWS CLI may override the Authorization header. To make requests to AIStore using any S3-compatible client, you'll need to add the header Authorization: Bearer <token>.

arnaudbriche commented 2 weeks ago

Hi @gaikwadabhishek

Thx for the prompt anwser. I am currently using aistorage/cluster-minimal:latest and there is no new version available. Should I switch to aistorage/aisnode ?

arnaudbriche commented 2 weeks ago

Just rebuild the image by myself. It works. Thx