ACL checks are not sufficient for checking access. Access is falsely denied when bucket policy is used. #133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rovider.exists() checks if bucket exists when using root path
|
Hi @electricsam , Thank you for your contribution! Would you mind signing the ICLA, as described in the Legal section of our wiki? Also, please, feel free to join our chat channel, if you'd like to learn more about the project and/or like to find out what else you could help with. Kind regards, Martin |
|
@ptirador , @elerch, @markjschreiber, @pditommaso , Could you please review this? :) |
|
Hi Martin,
I filled out the ICLA and sent it.
Cheers,
Chris
Chris Slater
Lead Software Engineer
Cooperative Institute for Research in Environmental Sciences (CIRES) at
University of Colorado Boulder and
NOAA National Centers for Environmental Information
325 Broadway, NOAA E/GC3
Boulder, Colorado 80305-3337
E-mail: christopher.r.slater@colorado.edu<mailto:christopher.r.slater@colorado.edu>
Office: 1B605, NOAA David Skaggs Research Center
On Dec 10, 2020, at 9:08 AM, Martin Todorov <notifications@github.com<mailto:notifications@github.com>> wrote:
Hi @electricsam<https://github.com/electricsam> ,
Thank you for your contribution!
Would you mind signing the ICLA<https://5fbab373a589ce000892cbd9--s3fs-nio.netlify.app/assets/resources/pdfs/ICLA.pdf>, as described in the Legal<https://s3fs-nio.carlspring.org/contributing/legal/> section of our wiki?
Also, please, feel free to join our chat channel<https://chat.carlspring.org/channel/s3fs-nio-community>, if you'd like to learn more about the project and/or like to find out what else you could help with.
Kind regards,
Martin
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#133 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABN2AKPL6KGLKG65VBHBNE3SUDXBLANCNFSM4UVBZVFA>.
|
|
Thanks a lot, @electricsam ! I can confirm I have received it. ) |
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Show resolved
Hide resolved
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Outdated
Show resolved
Hide resolved
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Outdated
Show resolved
Hide resolved
carlspring
reviewed
Dec 10, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/util/S3Utils.java
Outdated
Show resolved
Hide resolved
carlspring
requested changes
Dec 10, 2020
ptirador
suggested changes
Dec 11, 2020
There was a problem hiding this comment.
HI @electricsam,
Thanks for this pull request! Would you mind applying the changes that I requested?
Apart from these, LGTM!
CC @carlspring
src/test/java/org/carlspring/cloud/storage/s3fs/fileSystemProvider/CheckAccessTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Pablo Tirado <pablotr87@gmail.com>
carlspring
reviewed
Dec 12, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Outdated
Show resolved
Hide resolved
carlspring
reviewed
Dec 12, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
carlspring
reviewed
Dec 12, 2020
src/test/java/org/carlspring/cloud/storage/s3fs/fileSystemProvider/CheckAccessTest.java
Outdated
Show resolved
Hide resolved
carlspring
reviewed
Dec 12, 2020
src/main/java/org/carlspring/cloud/storage/s3fs/util/S3Utils.java
Outdated
Show resolved
Hide resolved
|
Thank you very much, @electricsam! Congratulations on your first pull request with our project! :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Description
Using ACLs to check for object access is not sufficient. The bucket policy can override the ACL. This can be a problem when accessing a public bucket in a different account where ACLs are not configured. In general, AWS recommends using bucket policies over ACLs.
These changes remove the ACL check and simply check if object exists for the given user. If that user cannot read or write to that object, an error will happen at the time of that action.
Acceptance Test
mvn clean install -Pintegration-testsstill works.Questions
Does this pull request break backward compatibility?
Does this pull request require other pull requests to be merged first?
Does this require an update of the documentation?