Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy action wildcards do not include the policy with no character after wildcard #3217

Open
sdejong629 opened this issue Jan 25, 2024 · 11 comments · May be fixed by #3497
Open

Policy action wildcards do not include the policy with no character after wildcard #3217

sdejong629 opened this issue Jan 25, 2024 · 11 comments · May be fixed by #3497
Assignees
@allanrogerr
Labels
community

Comments

@sdejong629
Copy link

sdejong629 commented Jan 25, 2024
edited
Loading

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

When using wildcards in a s3 policy, this does not include policy names with a null value for the wildcard after upgrading in the Minio GUI.

Expected Behavior

When you for example have a policy action named "s3:DeleteObject*", this should include "s3:DeleteObject" (no *) action after upgrading to version 2024.1.16. In the GUI you can delete objects based on that policy.

Current Behavior

Users with a policy action of "s3:DeleteObject*" can not delete objects within the GUI. You have to explicitly add "s3:DeleteObject" as a policy. This behavior has changed since our previous version.

Possible Solution

  • should also include the actions where there are no more characters after the action name.

Steps to Reproduce (for bugs)

  1. Add a policy for a bucket 
    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:ListBucket",
               "s3:ListAllMyBuckets",
               "s3:GetBucketVersioning",
               "s3:DeleteObjectVersion",
               "s3:ListBucketVersions",
               "s3:GetObject*",
               "s3:DeleteObject*",
               "s3:PutObject*"
           ],
           "Resource": [
               "arn:aws:s3:::bucket_name",
               "arn:aws:s3:::bucket_name/*"
           ]
       }
   ]
}
  2. Log on to GUI and try to add or delete objects
  3. You can't, can you?

Context

We had to add policies for every bucket in our environment after updating

Regression

No sure what that means

Your Environment

minio version DEVELOPMENT.2024-01-16T16-07-38Z (commit-id=ca258c04cb1dea33c31fed86250eaa3d1f020ff8)
Runtime: go1.21.6 linux/amd64
License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.
Running in docker on Ubuntu 22.04
@harshavardhana
Copy link
Member

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

@sdejong629
Copy link
Author

sdejong629 commented Jan 26, 2024
edited
Loading

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

Changed it to something even more generic. That is a placeholder for terraform. Just replace it with an actual bucket name.

@harshavardhana
Copy link
Member

Will check

@harshavardhana harshavardhana transferred this issue from minio/minio Jan 26, 2024
@prakashsvmx
Copy link
Member 

S3_GET_ACTIONS: "s3:Get*",
S3_PUT_ACTIONS: "s3:Put*",
S3_ALL_LIST_BUCKET: "s3:List*",
S3_STAR_BUCKET: "s3:*Bucket",
S3_ALL_ACTIONS: "s3:*",
ADMIN_ALL_ACTIONS: "admin:*",
KMS_ALL_ACTIONS: "kms:*"

@sdejong629 as of now only the above f wildcards are supported for actions.

@cesnietor
Copy link
Collaborator

@harshavardhana are we planning to support it? this might be coming from mc client.

@harshavardhana
Copy link
Member

@harshavardhana are we planning to support it? this might be coming from mc client.

what is?

@bayasdev
Copy link
Contributor

@prakashsvmx could you please check if we're following the S3 standard? Thanks!

@allanrogerr
Copy link
Contributor

@sdejong629 Your bucket bucket_name is not following the s3 standard. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html

Please retry with a valid bucket name.

@allanrogerr
Copy link
Contributor

s3:DeleteObject* does appear to be valid. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

PTAL @prakashsvmx

@ramondeklein
Copy link
Collaborator

ramondeklein commented Jan 27, 2025
edited
Loading

I also tested it with AWS IAM Policy Simulator:

Image

I also test with MinIO and when I create a user and assign only the readonly policy and this policy:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [ "s3:DeleteObject*" ],
           "Resource": [ "arn:aws:s3:::*","arn:aws:s3:::*/*" ]
       }
   ]
}

The user was able to delete the object, so it seems that MinIO will match s3:DeleteObject based on the s3:DeleteObject* policy.

@allanrogerr
Copy link
Contributor

@prakashsvmx This seems related to https://github.com/minio/console/blob/master/web-app/src/common/SecureComponent/permissions.ts#L35

@allanrogerr allanrogerr linked a pull request Jan 27, 2025 that will close this issue
Open
@cesnietor cesnietor assigned allanrogerr and unassigned prakashsvmx Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@allanrogerr allanrogerr

Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow console to recognize s3.DeleteObject* allanrogerr/console
7 participants
@harshavardhana @ramondeklein @cesnietor @allanrogerr @prakashsvmx @bayasdev @sdejong629