console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon minio

Policy action wildcards do not include the policy with no character after wildcard

Open sdejong629 opened this issue 1 year ago • 6 comments

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

When using wildcards in a s3 policy, this does not include policy names with a null value for the wildcard after upgrading in the Minio GUI.

Expected Behavior

When you for example have a policy action named "s3:DeleteObject*", this should include "s3:DeleteObject" (no *) action after upgrading to version 2024.1.16. In the GUI you can delete objects based on that policy.

Current Behavior

Users with a policy action of "s3:DeleteObject*" can not delete objects within the GUI. You have to explicitly add "s3:DeleteObject" as a policy. This behavior has changed since our previous version.

Possible Solution

  • should also include the actions where there are no more characters after the action name.

Steps to Reproduce (for bugs)

  1. Add a policy for a bucket 
    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:ListBucket",
               "s3:ListAllMyBuckets",
               "s3:GetBucketVersioning",
               "s3:DeleteObjectVersion",
               "s3:ListBucketVersions",
               "s3:GetObject*",
               "s3:DeleteObject*",
               "s3:PutObject*"
           ],
           "Resource": [
               "arn:aws:s3:::bucket_name",
               "arn:aws:s3:::bucket_name/*"
           ]
       }
   ]
}
  2. Log on to GUI and try to add or delete objects
  3. You can't, can you?

Context

We had to add policies for every bucket in our environment after updating

Regression

No sure what that means

Your Environment

minio version DEVELOPMENT.2024-01-16T16-07-38Z (commit-id=ca258c04cb1dea33c31fed86250eaa3d1f020ff8) Runtime: go1.21.6 linux/amd64 License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html Copyright: 2015-2024 MinIO, Inc. Running in docker on Ubuntu 22.04

sdejong629 avatar Jan 25 '24 14:01 sdejong629

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

harshavardhana avatar Jan 25 '24 16:01 harshavardhana

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

Changed it to something even more generic. That is a placeholder for terraform. Just replace it with an actual bucket name.

sdejong629 avatar Jan 26 '24 11:01 sdejong629

Will check

harshavardhana avatar Jan 26 '24 16:01 harshavardhana 

S3_GET_ACTIONS: "s3:Get*",
S3_PUT_ACTIONS: "s3:Put*",
S3_ALL_LIST_BUCKET: "s3:List*",
S3_STAR_BUCKET: "s3:*Bucket",
S3_ALL_ACTIONS: "s3:*",
ADMIN_ALL_ACTIONS: "admin:*",
KMS_ALL_ACTIONS: "kms:*"

@sdejong629 as of now only the above f wildcards are supported for actions.

prakashsvmx avatar Jan 29 '24 05:01 prakashsvmx

@harshavardhana are we planning to support it? this might be coming from mc client.

cesnietor avatar Jul 15 '24 16:07 cesnietor

@harshavardhana are we planning to support it? this might be coming from mc client.

what is?

harshavardhana avatar Jul 15 '24 17:07 harshavardhana