Remove s3:ListObjects policy action to be in sync with AWS-S3 (#5875)

master
Krishna Srinivas 7 years ago committed by Nitish Tiwari
parent 7f207156ec
commit 0ad0969d61
  1. 18
      cmd/auth-handler.go
  2. 15
      pkg/policy/action.go

@ -183,24 +183,6 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
return ErrNone return ErrNone
} }
// As policy.ListBucketAction and policy.ListObjectsAction are same but different names,
// policy.ListBucketAction is used across the code but user may used policy.ListObjectsAction
// in bucket policy to denote the same. In below try again with policy.ListObjectsAction.
if action != policy.ListBucketAction {
return ErrAccessDenied
}
if globalPolicySys.IsAllowed(policy.Args{
AccountName: accountName,
Action: policy.ListObjectsAction,
BucketName: bucketName,
ConditionValues: getConditionValues(r, locationConstraint),
IsOwner: isOwner,
ObjectName: objectName,
}) {
return ErrNone
}
return ErrAccessDenied return ErrAccessDenied
} }

@ -24,7 +24,7 @@ import (
) )
// Action - policy action. // Action - policy action.
// Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html // Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html
// for more information about available actions. // for more information about available actions.
type Action string type Action string
@ -75,9 +75,6 @@ const (
// ListMultipartUploadPartsAction - ListParts Rest API action. // ListMultipartUploadPartsAction - ListParts Rest API action.
ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"
// ListObjectsAction - ListObjects Rest API action exactly same behavior as ListBucketAction.
ListObjectsAction = "s3:ListObjects"
// PutBucketNotificationAction - PutObjectNotification Rest API action. // PutBucketNotificationAction - PutObjectNotification Rest API action.
PutBucketNotificationAction = "s3:PutBucketNotification" PutBucketNotificationAction = "s3:PutBucketNotification"
@ -113,7 +110,7 @@ func (action Action) IsValid() bool {
fallthrough fallthrough
case ListBucketMultipartUploadsAction, ListenBucketNotificationAction: case ListBucketMultipartUploadsAction, ListenBucketNotificationAction:
fallthrough fallthrough
case ListMultipartUploadPartsAction, ListObjectsAction, PutBucketNotificationAction: case ListMultipartUploadPartsAction, PutBucketNotificationAction:
fallthrough fallthrough
case PutBucketPolicyAction, PutObjectAction: case PutBucketPolicyAction, PutObjectAction:
return true return true
@ -237,14 +234,6 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
condition.AWSSourceIP, condition.AWSSourceIP,
), ),
ListObjectsAction: condition.NewKeySet(
condition.S3Prefix,
condition.S3Delimiter,
condition.S3MaxKeys,
condition.AWSReferer,
condition.AWSSourceIP,
),
PutBucketNotificationAction: condition.NewKeySet( PutBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer, condition.AWSReferer,
condition.AWSSourceIP, condition.AWSSourceIP,

Loading…
Cancel
Save