versitygw icon indicating copy to clipboard operation
versitygw copied to clipboard

Published 20 hours ago verified publisher icon versity

multi-tenant posix permission enforcement

Open benmcclelland opened this issue 10 months ago • 0 comments

Describe the solution you'd like The gateway typically runs as root, so provides full access to anything below the gateway root directory only limited by bucket ownership and ACLs. You can run the gateway as a user, but then all newly created files will be owned by that user. And that user must have access to all files/directories below the root directory.

The IAM multi-tenant store allows setting uid/gid for each user. It would be great if we could add the option to enable a permissions check in the posix backend to return access denied for requests that the uid/gid wouldn't have local permissions to.

This would be good to support both unix permission as well as posix ACLs.

The GET check could look at the file permissions directly and determine if that user should have read access to the file.

The PUT check might need to check the bucket, or the closest existing parent directory.

benmcclelland avatar Apr 10 '24 22:04 benmcclelland