Account with NotPrincipal should explicitly provide permission #8782
Conversation
|
@vh05 please add tests in the file "test_s3_bucket_policy.js" |
|
@vh05 I would also start with testing on AWS the steps that are expected to happen before we change it our logs. Please also add the full testing instructions that you manually did so we can understand what was done (you can add as comment if you prefer). |
|
@vh05 from what I understand this issue is not related to "deny statement using NotPrincipal". can you pleas change the PR name and description to reflect what you are actually doing here |
Sorry for the delayed response. I have updated the patch. Now the fix and the issue description matches I think |
| Key: KEY, | ||
| }); | ||
|
|
||
| await assert_throws_async(s3_a.putObject({ |
There was a problem hiding this comment.
Why? I thought s3_a is the only user that can put object?
There was a problem hiding this comment.
The account added in NotPrincipal is allowed on the Action. It is like excluding everyone other than account added as NotPrincipal
There was a problem hiding this comment.
When you use assert_throws_async it is expected to throw an error.
As you mentioned the user_a is allowed on the action, then you probably need to run it without this function on s3_a and can run it on another user.
There was a problem hiding this comment.
Yeah. That expression should be with user_b not user_a. My bad
There was a problem hiding this comment.
What about fixing the test should be able to use notPrincipal it is in the scope of this PR?
There was a problem hiding this comment.
NotPrincipal with Allow is not expected operation as per aws doc
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
from AWS:
NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported.
There was a problem hiding this comment.
I agree, it is something that would be fixed in your suggested fix?
| @@ -146,18 +146,31 @@ async function _is_object_version_fit(req, predicate, value) { | |||
| return res; | |||
| } | |||
|
|
|||
| async function has_bucket_policy_permission(policy, account, method, arn_path, req) { | |||
| async function has_bucket_policy_permission(policy, account, method, arn_path, req, account_identifier_type = 'id') { | |||
There was a problem hiding this comment.
Why did you choose to have id as default?
the id is currently only in NC.
Please add JSDoc to this function or a comment about the options of account_identifier_type. I think using a enum can help us.
There was a problem hiding this comment.
IIUC, the id is considered to solve issues regarding account name and thats the updated one. We are giving exception to name parameter.
I think using a enum can help us
I feel it is for default argument, string is fine
There was a problem hiding this comment.
As you can see in the Jira ticket, it is not solving it completely.
I didn't understand the quote; was it not clear? I meant to add enum so it will be easier to understand the options that we can use.
| // If the account is categorized as "Not Principal," we need to ALLOW operations | ||
| // for that account under the associated principal. | ||
| // | ||
| // To maintain backward compatibility, we also support name-based comparison for principal matching. | ||
| // | ||
| // - If `account_identifier_type` is "id" but the `account` parameter contains a name, | ||
| // we return `false` to proceed/bypass to the next step, where we check for a name match. | ||
| // | ||
| // - In the next step, if `account_identifier_type` is "name" and the `account` also contains a name, | ||
| // we return the actual value. |
There was a problem hiding this comment.
What if the allow is by ids and the deny is by names?
You can add it a test case.
What will happen when we support ARN, it will be more complex.
There was a problem hiding this comment.
What if the allow is by ids and the deny is by names?
Is that test case required. IIUC the name is for backward compatibility and the fix almost like a workaround than a feature
There was a problem hiding this comment.
The name is another option, we decided to not remove this to be backward compatible.
Anyway, it is a valid option, and in the containerized it is the only option.
vh05
force-pushed
the
DFBUGS-1519
branch
5 times, most recently
from
48d71ef to
25191b9
Compare
vh05
changed the title
vh05
force-pushed
the
DFBUGS-1519
branch
3 times, most recently
from
c8a46a9 to
e917402
Compare
vh05
force-pushed
the
DFBUGS-1519
branch
3 times, most recently
from
11caeca to
3d7a476
Compare
This is the bucket policy with below combination
```
Effect : DENY,
Action: $OPERATION,
NotPrincipal: $ACCOUNT
```
The permission on the "Action" for the $ACCOUNT mentioned in the
"NotPrincipal" should be explicitly given.
Example: For "Action: get_object", if we want to DENY permission
for * (all accounts) and we want to give explicit permission to
any one or few accounts, then we can include that account as
part of part of "NotPrincipal"
Check DFBUGS-1519 for steps to reproduce the issue
Fixes: https://issues.redhat.com/browse/DFBUGS-1519
Signed-off-by: Vinayakswami Hariharmath <[email protected]>
This is the bucket policy with below combination
The permission on the "Action" for the $ACCOUNT mentioned in the "NotPrincipal" should be explicitly given.
Example: For "Action: get_object", if we want to DENY permission for * (all accounts) and we want to give explicit permission to any one or few accounts, then we can include that account as part of part of "NotPrincipal"
Check DFBUGS-1519 for steps to reproduce the issue
Fixes: https://issues.redhat.com/browse/DFBUGS-1519