Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

noobaa-core: Bucket Policy Condition to access Specific VersionID #8776

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

noobaa-core: Bucket Policy Condition to access Specific VersionID #8776

wants to merge 1 commit into from
+247 −22

Conversation

aspandey
Copy link
Contributor

@aspandey aspandey commented Feb 7, 2025
edited
Loading

We need to implement a Policy check so that a user can access only specific version of an object for a given account

JIRA: https://issues.redhat.com/browse/MCGI-264

Testing -

1 - Create two accounts A1 and A2
2 - Create bucket for A1 - "A1Bucket"
3 - Set versioning enabled for A1Bucket
4 - Create an object "A1object" on A1Bucket, upload same object 3 times after some changes. This will create object with 3 version id
5 - Create a policy for A1Bucket/A1object so that second account "A2" can access only one version id of A1Bucket/A1object

Example: https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#getobjectversion-limit-access-to-specific-version-3

6 - Try to access A1Bucket/A1object with A2 account and provide the same version id - it should be accessible.
7 - Try to access A1Bucket/A1object with A2 account and provide the other two version ids - it should be NOT be accessible.

Commands and other instructions for testing -

Create "ironman" and "batman" user account and setup s3 credentials

Enable bucket versioning to make sure that different versions of same objects are created and maintained

s3-ironman s3api put-bucket-versioning --bucket iron.bucket --versioning-configuration Status=Enabled

upload object

echo "1 - This is the content of iron-allow.txt " | s3-ironman s3 cp - s3://iron.bucket/iron-allow.txt
echo "2 - This is the content of iron-allow.txt " | s3-ironman s3 cp - s3://iron.bucket/iron-allow.txt
echo "3 - This is the content of iron-allow.txt " | s3-ironman s3 cp - s3://iron.bucket/iron-allow.txt

get object versions

s3-ironman s3api list-object-versions --bucket iron.bucket --prefix iron-allow.txt

Policy to grant access permission on a specific version

[root@d677568b1abc policy]# cat new_bucket_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": { "AWS": [ "batman" ] },
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::iron.bucket/iron-deny.txt"] // Will get full access on iron-deny.txt
},
{
"Sid": "statement2",
"Effect": "Allow",
"Principal": { "AWS": [ "batman" ] },
"Action": "s3:GetObjectVersion",
"Resource": [ "arn:aws:s3:::iron.bucket/iron-allow.txt"]
},
{
"Sid": "statement3",
"Effect": "Deny",
"Principal": { "AWS": [ "batman" ] },
"Action": "s3:GetObjectVersion",
"Resource": [ "arn:aws:s3:::iron.bucket/iron-allow.txt"],
"Condition": {
"StringNotEquals": {
"s3:VersionId": "mtime-d7l8fybz78qo-ino-tl5m"
}
}
}
]
}

put bucket policy

s3-ironman s3api put-bucket-policy --bucket iron.bucket --policy file://new_bucket_policy.json

get object by version id (by other user)

s3-batman s3api get-object --bucket iron.bucket --key iron-allow.txt /tmp/iron-allow-id --version-id 'mtime-d7l8fybz78qo-ino-tl5m'

nadavMiz
nadavMiz reviewed Feb 9, 2025
View reviewed changes
src/endpoint/s3/s3_bucket_policy_utils.js Outdated
};

const supported_actions = {
's3:ExistingObjectTag': ['s3:DeleteObjectTagging', 's3:DeleteObjectVersionTagging', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging', 's3:GetObjectVersion', 's3:GetObjectVersionTagging', 's3:PutObjectAcl', 's3:PutObjectTagging', 's3:PutObjectVersionTagging'],
's3:x-amz-server-side-encryption': ['s3:PutObject']
's3:x-amz-server-side-encryption': ['s3:PutObject'], 's3:VersionId': ['s3:GetObjectVersion']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move it to a new line, so it will be separated from the s3:x-amz-server-side-encryption condition

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

src/endpoint/s3/s3_bucket_policy_utils.js Outdated
};

const supported_actions = {
's3:ExistingObjectTag': ['s3:DeleteObjectTagging', 's3:DeleteObjectVersionTagging', 's3:GetObject', 's3:GetObjectAcl', 's3:GetObjectTagging', 's3:GetObjectVersion', 's3:GetObjectVersionTagging', 's3:PutObjectAcl', 's3:PutObjectTagging', 's3:PutObjectVersionTagging'],
's3:x-amz-server-side-encryption': ['s3:PutObject']
's3:x-amz-server-side-encryption': ['s3:PutObject'], 's3:VersionId': ['s3:GetObjectVersion']
Copy link
Contributor

@nadavMiz nadavMiz Feb 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you check that there are no other actions that are supported for this condition. see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are actions which can be supported. For now, as per the scope, I am including only this one.

nadavMiz
nadavMiz reviewed Feb 9, 2025
View reviewed changes
src/endpoint/s3/s3_bucket_policy_utils.js Outdated
async function _is_object_version_fit(req, predicate, value) {
const version_id = req.query.versionId;
const res = predicate(version_id, value);
dbg.log1('Condition statement for version-id, res :', version_id, res);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add value to the log, so we will be able to compare version ids to see why the condition failed/accepted

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@liranmauda liranmauda requested a review from shirady February 9, 2025 09:46
@aspandey aspandey force-pushed the access_object_version branch from 3a3bc99 to 54c2d26 Compare February 11, 2025 07:41
@pull-request-size pull-request-size bot added size/L and removed size/S labels Feb 11, 2025
@aspandey aspandey force-pushed the access_object_version branch 15 times, most recently from f55e635 to ffc85d9 Compare February 14, 2025 07:43
@aspandey
noobaa-core: Bucket Policy Condition to access Specific VersionID
225ba33 
We need to implement a Policy check so that a user can access
only specific version of an object for a given account

JIRA: https://issues.redhat.com/browse/MCGI-264

Signed-off-by: Ashish Pandey <[email protected]>
@aspandey aspandey force-pushed the access_object_version branch from ffc85d9 to 225ba33 Compare February 14, 2025 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nadavMiz nadavMiz nadavMiz left review comments

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

@liranmauda liranmauda Awaiting requested review from liranmauda

@romayalon romayalon Awaiting requested review from romayalon

@shirady shirady Awaiting requested review from shirady

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aspandey @nadavMiz