Remove s3:ListObjects policy action to be in sync with AWS-S3 (#5875)

7 years ago · 0ad0969d61
parent 7f207156ec
commit 0ad0969d61
2 changed files with 2 additions and 31 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@ -183,24 +183,6 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 		return ErrNone
 	}

-	// As policy.ListBucketAction and policy.ListObjectsAction are same but different names,
-	// policy.ListBucketAction is used across the code but user may used policy.ListObjectsAction
-	// in bucket policy to denote the same. In below try again with policy.ListObjectsAction.
-	if action != policy.ListBucketAction {
-		return ErrAccessDenied
-	}
-
-	if globalPolicySys.IsAllowed(policy.Args{
-		AccountName:     accountName,
-		Action:          policy.ListObjectsAction,
-		BucketName:      bucketName,
-		ConditionValues: getConditionValues(r, locationConstraint),
-		IsOwner:         isOwner,
-		ObjectName:      objectName,
-	}) {
-		return ErrNone
-	}
-
 	return ErrAccessDenied
 }

--- a/pkg/policy/action.go
+++ b/pkg/policy/action.go
@ -24,7 +24,7 @@ import (
 )

 // Action - policy action.
-// Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html
+// Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html
 // for more information about available actions.
 type Action string

@ -75,9 +75,6 @@ const (
 	// ListMultipartUploadPartsAction - ListParts Rest API action.
 	ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"

-	// ListObjectsAction - ListObjects Rest API action exactly same behavior as ListBucketAction.
-	ListObjectsAction = "s3:ListObjects"
-
 	// PutBucketNotificationAction - PutObjectNotification Rest API action.
 	PutBucketNotificationAction = "s3:PutBucketNotification"

@ -113,7 +110,7 @@ func (action Action) IsValid() bool {
 		fallthrough
 	case ListBucketMultipartUploadsAction, ListenBucketNotificationAction:
 		fallthrough
-	case ListMultipartUploadPartsAction, ListObjectsAction, PutBucketNotificationAction:
+	case ListMultipartUploadPartsAction, PutBucketNotificationAction:
 		fallthrough
 	case PutBucketPolicyAction, PutObjectAction:
 		return true
@ -237,14 +234,6 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 		condition.AWSSourceIP,
 	),

-	ListObjectsAction: condition.NewKeySet(
-		condition.S3Prefix,
-		condition.S3Delimiter,
-		condition.S3MaxKeys,
-		condition.AWSReferer,
-		condition.AWSSourceIP,
-	),
-
 	PutBucketNotificationAction: condition.NewKeySet(
 		condition.AWSReferer,
 		condition.AWSSourceIP,