google-storage-plugin icon indicating copy to clipboard operation
google-storage-plugin copied to clipboard
verified publisher icon jenkinsci

Is devstorage.full_control really necessary?

Open Shtutnik opened this issue 7 years ago • 2 comments

Hi,

Wouldn't 'devstorage.read_write' be enough for this plugin?

Is there any chance someone could check this?

Shtutnik avatar Dec 06 '18 10:12 Shtutnik

I've just looked into this. devstorage.read_write is sufficient for the upload and download steps. It is not sufficient for the "Bucket Lifecycle" step.

One thing we'll need to do is to limit the StorageScopeRequirement to the devstorage.read_write permission, then create another scope requirement with devstorage.full_control, and change the @RequiresDomain annotation on the ExpiringBucketLifecycleManagerStep. There's probably more that needs to be changed.

stephenashank avatar Sep 27 '19 22:09 stephenashank

Any progress on this issue? My security folks give serious side eye for full_control but are much more tolerant for read_write. Being able to avoid their side eye is a goal I've been able to maintain for a while and is something I'd like to continue doing :-)

dylan-tock avatar Oct 25 '22 14:10 dylan-tock