-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change bucket policy schema to fit AWS json #7389
Conversation
34ba9eb
to
7a8beb9
Compare
7a8beb9
to
2c0e8a9
Compare
ae40d7c
to
ef37a74
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. I observe that most of the changes are related to lower case to upper case. We need to make sure that this does not break other code wherever it might be using lowercase.
ef37a74
to
e7817c8
Compare
src/upgrade/upgrade_scripts/5.3.0/update_bucket_owner_account.js
Outdated
Show resolved
Hide resolved
@@ -252,41 +252,66 @@ module.exports = { | |||
} | |||
}, | |||
|
|||
bucket_policy_principal: { | |||
anyOf: [{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recall we didn't support anyOf/oneOf in postgresClient encode_json/decode_json, @dannyzaken is this valid now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you're right. this can be an issue since the values underneath are SensitiveString
and will probably not be unwrapped properly when stored. @nadavMiz how does it look in the DB when you store a policy?
in general we should probably handle it. I think there are other places we use anyOf/oneOf that are stores in the DB
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the database the prefix appears clearly in all case:
{"_id": "64ca177180d3ca00289e9937", "tag": "", "name": "first.bucket", "system": "64ca177180d3ca00289e992f", "tiering": "64ca177180d3ca00289e9936", "s3_policy": {"Version": "20
12-10-17", "Statement": [{"Action": ["s3:PutBucketPolicy", "s3:*"], "Effect": "Allow", "Resource": ["arn:aws:s3:::first.bucket"], "Principal": {"AWS": "*"}}, {"Action": ["s3:PutObject"], *"Effect": "Allow"
, "Resource": ["arn:aws:s3:::first.bucket/*"], "Principal": "*"}, {"Sid": "id-1", "Action": ["s3:GetObject"], "Effect": "Allow", "Resource": ["arn:aws:s3:::first.bucket/*"], "Principal": {"AWS": ["nadav",
"*"]}}]}, "versioning": "DISABLED", "last_update": 1690977631534, "master_key_id": "64ca177180d3ca00289e9938", "owner_account": "64ca177180d3ca00289e992e", "storage_stats": {"pools": {}, "blocks_size": 0
, "last_update": 1690977537545, "objects_hist": [], "objects_size": 0, "objects_count": 0, "chunks_capacity": 0, "stats_by_content_type": []}, "lambda_triggers": []}
also in logs we print for bucket policy we get the prefix is a sensitive string. for example in policy validation:
principal fit? SENSITIVE-7846cdd4c2b90527 nadav
looks like it is fine in this case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we discussed, this anyOf doesn't really gets encoded, but since all we have inside the any of is string/sensitive string it works.
@dannyzaken Are you ok with merging it and opening a gap for the anyOf issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened an issue for the anyOf: #7448
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with the gap.
e7817c8
to
147f72c
Compare
62f670e
to
7272b34
Compare
b0eac9c
to
9d99b30
Compare
9d99b30
to
4ac98b7
Compare
4ac98b7
to
9931e11
Compare
Signed-off-by: nadav mizrahi <nadav.mizrahi16@gmail.com>
9931e11
to
4d954d1
Compare
Explain the changes
Issues: Fixed #xxx / Gap #xxx
Testing Instructions: