Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow console to recognize s3.DeleteObject* #3497

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow console to recognize s3.DeleteObject* #3497

wants to merge 1 commit into from
+12 −4

Conversation

allanrogerr
Copy link
Contributor

@allanrogerr allanrogerr commented Jan 27, 2025
edited
Loading

Issue

Console searches for the precise policy s3:DeleteObject when allowing a delete of an object or prefix. If a user specifies the usage of the superset s3:DeleteObject*, console will disallow delete, even though this is allowed by api.

This PR allows a user attached to a policy defined with s3:DeleteObject* to be able to delete this object through the Console UI.

How to test

1.- Define infrastructure

mc rb <alias>/bucket-name --force --dangerous
mc mb <alias>/bucket-name

mc cp <file> <alias>/bucket-name/test/hosts

2.- Create a user with restricted privileges using s3:DeleteObject*
e.g.

cat << EOF > bucketpolicy.json
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:ListBucket",
               "s3:ListAllMyBuckets",
               "s3:GetBucketVersioning",
               "s3:DeleteObject*",
               "s3:ListBucketVersions",
               "s3:GetObject*",
               "s3:PutObject*"
           ],
           "Resource": [
               "arn:aws:s3:::bucket-name",
               "arn:aws:s3:::bucket-name/*"
           ]
       }
   ]
}
EOF

mc admin user rm <alias> test-user
mc admin user add <alias> test-user test-usertest-user
mc alias set test-user <endpoint> test-user test-usertest-user

mc admin policy create <alias> test-policy bucketpolicy.json
mc admin policy detach <alias> test-policy --user test-user
mc admin policy attach <alias> test-policy --user test-user

3.- Login to the UI as test-user and successfully delete the uploaded file

fixes #3217

@allanrogerr allanrogerr self-assigned this Jan 27, 2025
@allanrogerr allanrogerr marked this pull request as ready for review January 27, 2025 20:30
@bayasdev
Copy link
Contributor

@allanrogerr could you please take a look at the failing test? Thanks!

@allanrogerr
Copy link
Contributor Author

@allanrogerr could you please take a look at the failing test? Thanks!

It has been failing for > 1 month:
https://github.com/minio/console/actions/runs/12928151749
https://github.com/minio/console/actions/runs/12760775372
https://github.com/minio/console/actions/runs/12550431089
...

Not sure what broke earlier @bayasdev

@allanrogerr
Copy link
Contributor Author

@allanrogerr could you please take a look at the failing test? Thanks!

I will take a look in a subsequent PR.

@prakashsvmx
Copy link
Member

@allanrogerr , Please note , the action needs to be checked for :

  • Deleting versions
  • Deleting Object tags
  • s3:DeleteObjectTagging , s3:DeleteObjectVersion , s3:DeleteObjectVersionTagging these are the action matches for the s3:DeleteObject*

@cesnietor
Copy link
Collaborator

@allanrogerr , Please note , the action needs to be checked for :

  • Deleting versions
  • Deleting Object tags
  • s3:DeleteObjectTagging , s3:DeleteObjectVersion , s3:DeleteObjectVersionTagging these are the action matches for the s3:DeleteObject*

@prakashsvmx regarding your comment, is this PR not complete? were you able to test it?

@prakashsvmx
Copy link
Member

prakashsvmx commented Feb 6, 2025
edited
Loading

@cesnietor , @allanrogerr yes.,

e.g: The delete option is not present for the tag even though it is allowed (with mc and same policy the tag can be removed)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*",
                "s3:DeleteObject*",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:PutObjectTagging",
                "s3:GetBucketVersioning",
                "s3:GetObject*",
                "s3:GetObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::test-bucket",
                "arn:aws:s3:::test-bucket/*"
            ]
        }
    ]
}

image

@allanrogerr
Copy link
Contributor Author

Working on it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prakashsvmx prakashsvmx prakashsvmx approved these changes

@bayasdev bayasdev bayasdev approved these changes

@jinapurapu jinapurapu Awaiting requested review from jinapurapu

@reivaj05 reivaj05 Awaiting requested review from reivaj05

@cesnietor cesnietor Awaiting requested review from cesnietor

@SSushmitha8 SSushmitha8 Awaiting requested review from SSushmitha8

@ramondeklein ramondeklein Awaiting requested review from ramondeklein

Assignees

@allanrogerr allanrogerr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Policy action wildcards do not include the policy with no character after wildcard
4 participants
@allanrogerr @bayasdev @prakashsvmx @cesnietor