noobaa-core
noobaa-core copied to clipboard
noobaa
GAP - when setting an allow bp - it should allow access even if the bucket is not allowed for this account
Environment info
- NooBaa Version: VERSION
- Platform: Kubernetes 1.14.1 | minikube 1.1.1 | OpenShift 4.1 | other: specify
Actual behavior
- following AWS logic -if a a resource based policy allow access to a resource (bucket in our case) it should be allowed access no matter what's going on in other permissions logic - ACLs in Amazon or allowed buckets in noobaa
- unless there is specific deny which always wins (we don't have any deny logic) https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
Expected behavior
- allow statement should allow access to buckets not in the allowed list
Steps to reproduce
More information - Screenshots / Logs / Other output
The current state of the bucket_policy checks is invalid. We do not actually do anything with the checks there and they are just implemented without actually doing something. The decision is based upon two flows. We either explicitly deny in the bucket_policy configuration or rely on the allowed_buckets for our permissions. This means that we do not care for explicit allow or implicit deny. Even if the user has an explicit allow but he is not allowed in the allowed_buckets, it will fail.
You are correct about the allow - which is bad. About the implicit deny we are doing what expected that if the bucket is not in the allowed buckets for the account we will deny access(implicitly). if there isn't anything explicit in the bp - allowed buckets suppose to decide if to allow or deny.
