multi-tenant posix permission enforcement #513
Labels
backend
issue relates to backend
enhancement
New feature or request
posix
issue relates to posix backend
Comments
benmcclelland
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like
The gateway typically runs as root, so provides full access to anything below the gateway root directory only limited by bucket ownership and ACLs. You can run the gateway as a user, but then all newly created files will be owned by that user. And that user must have access to all files/directories below the root directory.
The IAM multi-tenant store allows setting uid/gid for each user. It would be great if we could add the option to enable a permissions check in the posix backend to return access denied for requests that the uid/gid wouldn't have local permissions to.
This would be good to support both unix permission as well as posix ACLs.
The GET check could look at the file permissions directly and determine if that user should have read access to the file.
The PUT check might need to check the bucket, or the closest existing parent directory.
The text was updated successfully, but these errors were encountered: