You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have another feature that a customer requested yesterday that it'd be helpful to get some feedback on:
A common problem among their user base is that a user will bind to a bucket, write a bunch of objects, and then decide that they need to tweak the ACL of the bound application from FULL_CONTROL to something more restrictive e.g. READ_WRITE.
Since OSBA doesn't support changing a binding, I recommended that they unbind/rebind; however, they explained that since this changes the object-user identity, when they re-bind the new user doesn't own any of the objects, leading to temporary inaccessibility until the storage-team fixes permissions for them on the back-end.
I'd like to get feedback on a couple of options:
We could allow the user to specify a name for the object-user. Unlike Issue-120 Provide Control over ECS Artifact Naming #123, this would have to be the full object-user-id, since the ACL would only respect an exact username.
I've also been thinking about a way to solve this with group permission settings, but since there can be only one bucket owner I think perhaps that isn't realistic.
The text was updated successfully, but these errors were encountered:
I have another feature that a customer requested yesterday that it'd be helpful to get some feedback on:
A common problem among their user base is that a user will bind to a bucket, write a bunch of objects, and then decide that they need to tweak the ACL of the bound application from
FULL_CONTROL
to something more restrictive e.g.READ_WRITE
.Since OSBA doesn't support changing a binding, I recommended that they unbind/rebind; however, they explained that since this changes the object-user identity, when they re-bind the new user doesn't own any of the objects, leading to temporary inaccessibility until the storage-team fixes permissions for them on the back-end.
I'd like to get feedback on a couple of options:
We could allow the user to specify a name for the object-user. Unlike Issue-120 Provide Control over ECS Artifact Naming #123, this would have to be the full object-user-id, since the ACL would only respect an exact username.
We could create a new process for the broker to optionally update object permissions during a binding operation, similar to Add service-instance reclaim policy to bucket service-settings for deleting of data. #119
I've also been thinking about a way to solve this with group permission settings, but since there can be only one bucket owner I think perhaps that isn't realistic.
The text was updated successfully, but these errors were encountered: