geesefs icon indicating copy to clipboard operation
geesefs copied to clipboard

Published 20 hours ago verified publisher icon yandex-cloud

geesefs drops credentials when bucket is public

Open kabachook opened this issue 2 years ago • 3 comments

geesefs drops credentials when YC bucket is public

# geesefs -f  --debug_s3 --debug --iam <redacted> <redacted>
2022/05/21 21:16:27.491339 s3.INFO Successfully acquired IAM Token
2022/05/21 21:16:27.524579 s3.DEBUG HEAD https://storage.yandexcloud.net/<redacted> = 200 []
2022/05/21 21:16:27.524613 s3.DEBUG X-Amz-Request-Id = [XXXXXX]
2022/05/21 21:16:27.524643 s3.DEBUG Server = [nginx]
2022/05/21 21:16:27.524658 s3.DEBUG Date = [Sat, 21 May 2022 21:16:27 GMT]
2022/05/21 21:16:27.524672 s3.DEBUG Content-Type = [application/xml]
2022/05/21 21:16:27.524686 s3.INFO anonymous bucket detected

Probable cause: https://github.com/yandex-cloud/geesefs/blob/c4861e0f1aa3c40d8ec4988814b0a6079705aedd/internal/backend_s3.go#L276-L278

Current fix: set --profile 1

kabachook avatar May 21 '22 21:05 kabachook

Hi, it's intended to work like this, partly because anonymous bucket auto-detection functionality was there since goofys :-)

vitalif avatar May 24 '22 11:05 vitalif

But, i would like to upload some files using binded service account credentials, although the bucket is public. So I should file an issue in googys and then ask to merge from the upstream?

kabachook avatar May 26 '22 13:05 kabachook

But, i would like to upload some files using binded service account credentials, although the bucket is public. So I should file an issue in googys and then ask to merge from the upstream?

No, we can fix it here of course :-) For example I can add an option to explicitly disable anonymous access.

vitalif avatar May 27 '22 15:05 vitalif