-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACL checks are not sufficient for checking access. Access is falsely denied when bucket policy is used. #133
ACL checks are not sufficient for checking access. Access is falsely denied when bucket policy is used. #133
Conversation
…rovider.exists() checks if bucket exists when using root path
Hi @electricsam , Thank you for your contribution! Would you mind signing the ICLA, as described in the Legal section of our wiki? Also, please, feel free to join our chat channel, if you'd like to learn more about the project and/or like to find out what else you could help with. Kind regards, Martin |
@ptirador , @elerch, @markjschreiber, @pditommaso , Could you please review this? :) |
Hi Martin,
I filled out the ICLA and sent it.
Cheers,
Chris
Chris Slater
Lead Software Engineer
Cooperative Institute for Research in Environmental Sciences (CIRES) at
University of Colorado Boulder and
NOAA National Centers for Environmental Information
325 Broadway, NOAA E/GC3
Boulder, Colorado 80305-3337
E-mail: christopher.r.slater@colorado.edu<mailto:christopher.r.slater@colorado.edu>
Office: 1B605, NOAA David Skaggs Research Center
On Dec 10, 2020, at 9:08 AM, Martin Todorov <notifications@github.com<mailto:notifications@github.com>> wrote:
Hi @electricsam<https://github.com/electricsam> ,
Thank you for your contribution!
Would you mind signing the ICLA<https://5fbab373a589ce000892cbd9--s3fs-nio.netlify.app/assets/resources/pdfs/ICLA.pdf>, as described in the Legal<https://s3fs-nio.carlspring.org/contributing/legal/> section of our wiki?
Also, please, feel free to join our chat channel<https://chat.carlspring.org/channel/s3fs-nio-community>, if you'd like to learn more about the project and/or like to find out what else you could help with.
Kind regards,
Martin
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#133 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABN2AKPL6KGLKG65VBHBNE3SUDXBLANCNFSM4UVBZVFA>.
|
Thanks a lot, @electricsam ! I can confirm I have received it. ) |
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3FileSystemProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/util/S3Utils.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this pull request! Would you mind applying the cosmetic code style changes I have raised?
Many thanks in advance! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HI @electricsam,
Thanks for this pull request! Would you mind applying the changes that I requested?
Apart from these, LGTM!
CC @carlspring
src/test/java/org/carlspring/cloud/storage/s3fs/fileSystemProvider/CheckAccessTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Pablo Tirado <pablotr87@gmail.com>
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/S3AccessControlList.java
Show resolved
Hide resolved
src/test/java/org/carlspring/cloud/storage/s3fs/fileSystemProvider/CheckAccessTest.java
Outdated
Show resolved
Hide resolved
src/main/java/org/carlspring/cloud/storage/s3fs/util/S3Utils.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! :)
Thank you very much, @electricsam! Congratulations on your first pull request with our project! :) |
Pull Request Description
Using ACLs to check for object access is not sufficient. The bucket policy can override the ACL. This can be a problem when accessing a public bucket in a different account where ACLs are not configured. In general, AWS recommends using bucket policies over ACLs.
These changes remove the ACL check and simply check if object exists for the given user. If that user cannot read or write to that object, an error will happen at the time of that action.
Acceptance Test
mvn clean install -Pintegration-tests
still works.Questions
Does this pull request break backward compatibility?
Does this pull request require other pull requests to be merged first?
Does this require an update of the documentation?