fix: doc links and delete replication permissions enforcement (#11285)

3 years ago · 7090bcc8e0
parent c222bde14b
commit 7090bcc8e0
4 changed files with 9 additions and 3 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@ -461,6 +461,13 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter,
 			}, goi, gerr)
 			replicateSync = repsync
 			if replicate {
+				if apiErrCode := checkRequestAuthType(ctx, r, policy.ReplicateDeleteAction, bucket, object.ObjectName); apiErrCode != ErrNone {
+					if apiErrCode == ErrSignatureDoesNotMatch || apiErrCode == ErrInvalidAccessKeyID {
+						writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErrCode), r.URL, guessIsBrowserReq(r))
+						return
+					}
+					continue
+				}
 				if object.VersionID != "" {
 					object.VersionPurgeStatus = Pending
 					if delMarker {
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@ -2758,7 +2758,7 @@ func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http.
 	if r.Header.Get(xhttp.AmzBucketReplicationStatus) == replication.Replica.String() {
 		// check if replica has permission to be deleted.
 		if apiErrCode := checkRequestAuthType(ctx, r, policy.ReplicateDeleteAction, bucket, object); apiErrCode != ErrNone {
-			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
+			writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErrCode), r.URL, guessIsBrowserReq(r))
 			return
 		}
 		opts.DeleteMarkerReplicationStatus = replication.Replica.String()
--- a/docs/bucket/replication/HEAD_bucket_replication.png
+++ b/docs/bucket/replication/HEAD_bucket_replication.png
--- a/docs/bucket/replication/README.md
+++ b/docs/bucket/replication/README.md
@ -92,8 +92,7 @@ The access key provided for the replication *target* cluster should have these m
 ]
 }
 ```
-
-Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like `s3:ReplicateDelete`, `s3:GetBucketObjectLockConfiguration` etc. depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup.sh) for convenience.
+Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like "s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup_replication.sh)

 Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN.  This command lists all the currently authorized replication targets:
 ```