Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request resolves an edge case when the XML fails to add objects to the ListBucket response, and correctly identifies that there are still objects under the
path
provided. This can be caused by slightly restricted (but still correct) IAM permissions, where you add a condition on the s3:prefix to the s3:ListBucket permissions. Specifically, this issue only occurs in special cases where there are special characters in the prefix/object path.Relevant Issue (if applicable)
#2129 (comment)
Details
There are two changes in this pull request.
reiter
string before checking ifreiter
is an empty directory. This resolves anAccess Denied
response from S3, because for some reason the full path did not include the/
separator between the base prefix and the rest of the path.directory_empty
function returns-ENOTEMPTY
, which implies that while adding objects from the XML response of the ListBucket CURL command, it failed but there are still objects under the path provided. This failure mode appears to happen with the special IAM policy condition mentioned above in combination with special characters in the object or prefix path. By handling this special case we getStatCacheData from the updated dirpath instead and proceed with the s3 prefix appearing in the mount.Demonstration of fix
Basic setup
Version of s3fs being used (s3fs --version)
1.93
Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse or dpkg -s fuse)
2.9.9
Kernel information (uname -r)
4.14.334-252.552.amzn2.x86_64
GNU/Linux Distribution, if applicable (cat /etc/os-release)
Toy example, based on real issue
How to run s3fs, if applicable
s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)
IAM Policy
We are trying to list bucket which has contents like the following
Details
It appears that the spaces in the object key Life and Health History Survey-responses.json under the david_stuff prefix is causing issues somehow in relationship with the listbucket permissions on home/David/*
To demonstrate how this fixes the issue, elaborating here on the failure mode workflow, given the example setup:
david-bucket:/home/David
to/home/jovyan/work/personal
, with prefix under itdavid_stuff/
readdir_multi_head
invoked on mount prefix/home/David
directory_empty
invoked on pathdavid_stuff
list_bucket
,append_objects_from_xml
is invokedappend_objects_from_xml_xe
is invoked, trying to parse the Contents/Key or the CommonPrefixes/Prefixcontents_xp ->nodesetval is empty
directory_empty
, we get one of two responses.-1
onAccess Denied
from AWS S3. This is because thedavid_stuff
path is missing the/
prefix, which was noticed by viewing the CURL commands to AWS S3. Without the/
prefix, the constrained IAM permissions cause the access denied to get returned by AWS S3-39
which responds to-ENOTEMPTY
-ENOTEMPTY
in this case means that, although we got the expression evaluation trying to append objects from xml.head
, which is of typeS3ObjList
, still has objects under it. Which means that there are in fact objects under the path/david_stuff
.david_stuff
-ENOTEMPTY
case and now display the s3 prefixdavid_stuff
as a directory