Prevent list bucket visilibilty created by non-admin accounts #8890
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kaustav Majumder <kaustav.majumder@ibm.com>
ezio-auditore
force-pushed
the
nb-browser
branch
from
bfeb526 to
cf12994
Compare
ezio-auditore
commented
Mar 21, 2025
| @@ -670,14 +673,16 @@ function _get_auth_info(account, system, authorized_by, role, extra) { | |||
| * @returns {Promise<boolean>} true if the account has permission to perform the action on the bucket | |||
| */ | |||
| async function has_bucket_action_permission(bucket, account, action, req_query, bucket_path = "") { | |||
| dbg.log1('has_bucket_action_permission:', bucket.name, account.email, bucket.owner_account.email); | |||
| dbg.info('has_bucket_action_permission:', bucket.name.unwrap(),bucket.system.owner.email.unwrap(), account.email.unwrap(), bucket.owner_account.email.unwrap()); | |||
There was a problem hiding this comment.
Used Command
sh-4.2$ aws s3 ls --endpoint-url http://s3-endpoint-proxy.openshift-storage-client.svc.cluster.local
2025-03-21 09:07:05 client-bucket // client owns this bucket
2025-03-19 12:05:05 first.bucket // admin owns
2025-03-21 08:56:26 test-bucket // admin owns
[INFO] core.server.common_services.auth_server:: has_bucket_action_permission: test-bucket admin@noobaa.io storageconsumer-7a3ae305-b4cf-4547-a5af-aa1f91dbe79a admin@noobaa.io
According to the logic here, this bucket should not have been listed in the output
since account.email (storageconsumer-7a3ae305-b4cf-4547-a5af-aa1f91dbe79a ) does not equal bucket.owner_account.email (admin@noobaa.io)
@nimrod-becker @jackyalbo Any thoughts?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the Problem
Explain the Changes
Issues: Fixed #xxx / Gap #xxx
Testing Instructions: