Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Additional Error Messages for KMS Key lookup on imported dataset #748

Merged
merged 1 commit into from
Sep 15, 2023
Merged

Add Additional Error Messages for KMS Key lookup on imported dataset #748

merged 1 commit into from
Sep 15, 2023

Conversation

noah-paige
Copy link
Contributor

Feature or Bugfix

  • Feature Enhancement

Detail

  • Adding additional error messages for KMS Key lookup when importing a new dataset
    • 1 Error message to determine if the KMS Key Alias Exists
    • 1 Error message to determine if the PivotRole has permissions to describe the KMS Key

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes
    fetching data from storage outside the application (e.g. a database, an S3 bucket)?
    • Is the input sanitized?
    • What precautions are you taking before deserializing the data you consume?
    • Is injection prevented by parametrizing queries?
    • Have you ensured no eval or similar functions are used?
  • Does this PR introduce any functionality or component that requires authorization?
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
    • Are you logging failed auth attempts?
  • Are you using or adding any cryptographic features?
    • Do you use a standard proven implementations?
    • Are the used keys controlled by the customer? Where are they stored?
  • Are you introducing any new policies/roles/users?
    • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@noah-paige noah-paige linked an issue Sep 12, 2023 that may be closed by this pull request
KMS Key not found error during dataset import #712
Closed
@noah-paige noah-paige self-assigned this Sep 12, 2023
@noah-paige noah-paige marked this pull request as ready for review September 14, 2023 15:18
@noah-paige
Copy link
Contributor Author

Tested in AWS for the following:

  • Import Dataset with non-existing KMS Alias --> Display Proper Error Message
  • Import Dataset with no PivotRole permissions on Imported KMS Key Policy --> Display Proper Error Message
  • Import Dataset with correct KMS Alias and PivotRole permissions in Key Policy --> Successfully import dataset

@noah-paige noah-paige added this to the v2.1.0 milestone Sep 14, 2023
dlpzx
dlpzx approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@dlpzx dlpzx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just to verify we are listing all keys(pivot role has permissions), checking in the list, if KMS key, then check pivot role permissions. Good!

@noah-paige
Copy link
Contributor Author

noah-paige commented Sep 15, 2023
edited
Loading

Looks good. Just to verify we are listing all keys(pivot role has permissions), checking in the list, if KMS key, then check pivot role permissions. Good!

Yup! - and returning 2 separate error messages for either alias does not exist or no pivot role permissions

@noah-paige noah-paige merged commit ad4ab1f into v2m1m0 Sep 15, 2023
@dlpzx dlpzx mentioned this pull request Oct 30, 2023
Merged
dlpzx added a commit that referenced this pull request Nov 8, 2023
@dlpzx @noah-paige
@dependabot @jaidisido @mourya-33 @nikpodsh @manjulaK @zsaltys @lorchda
v2.1.0 features (#840)
f917a7a 
### Feature or Bugfix
- Feature
- Bugfix
- Refactoring

### Detail

#### Features
* Limit pivot role S3 permissions by @dlpzx in
#780
* Limit pivot role KMS permissions by @dlpzx in
#830
* Add configurable session timeout to IDP by @manjulaK in
#786
* Allow to submit a share when you are both an approver and a requester
by @zsaltys in #793
* Redirect upon creating a share request by @zsaltys in
#799
* Handle Pre-filtering of tables by @anushka-singh in
#811
* Email Notification on Share Workflow - Issue - 734 by @TejasRGitHub in
#818
* Refactor notifications from core to modules by @dlpzx in
#822
* Add frontend and backend feature flags by @zsaltys in
#817
* Make hosted_zone_id optional by @lorchda in
#812

#### Fixes
* Add Additional Error Messages for KMS Key lookup on imported dataset
by @noah-paige in #748
* Handle Environment Import of IAM service roles by @noah-paige in
#749
* Build Compliant Names for Opensearch Resources by @noah-paige in
#750
* Update Lambda runtime by @nikpodsh in
#782
* Ensure valid environments for share request and other objects creation
by @dlpzx in #781
* Fix shell true semgrep by @dlpzx in
#760
* Add condition when there are no public subnets by @lorchda in
#794
* Remove unused variable by @zsaltys in
#815
* Check other share exists before clean up by @noah-paige in
#769


### Relates
- v2.1.0 minor release

## New Contributors
* @manjulaK made their first contribution in
#786
* @zsaltys made their first contribution in
#793
* @anushka-singh made their first contribution in
#811
* @TejasRGitHub made their first contribution in
#818

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: jaidisido <jaidisido@gmail.com>
Co-authored-by: mourya-33 <134511711+mourya-33@users.noreply.github.com>
Co-authored-by: nikpodsh <124577300+nikpodsh@users.noreply.github.com>
Co-authored-by: MK <manjula_kasturi@hotmail.com>
Co-authored-by: Zilvinas Saltys <zilvinas.saltys@yahooinc.com>
Co-authored-by: Daniel Lorch <98748454+lorchda@users.noreply.github.com>
Co-authored-by: Anushka Singh <anushka.singh@yahooinc.com>
Co-authored-by: trajopadhye <tejas.rajopadhye@yahooinc.com>
@dlpzx dlpzx deleted the feat/kms-dataset-error-message branch November 8, 2023 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlpzx dlpzx dlpzx approved these changes

Assignees

@noah-paige noah-paige

Labels
None yet
Projects
None yet
Milestone
v2.1.0
Development

Successfully merging this pull request may close these issues.

KMS Key not found error during dataset import
2 participants
@noah-paige @dlpzx