ChenSammi commented on code in PR #9315:
URL: https://github.com/apache/ozone/pull/9315#discussion_r2596885626
##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/acl/iam/IamSessionPolicyResolver.java:
##########
@@ -526,24 +521,28 @@ private static void processBucketResource(String
volumeName, Set<S3Action> mappe
// bucket name of "*". To align with AWS, make sure that in this
// specific case we also grant the volume-level permissions for
volume-scoped
// actions (currently s3:ListAllMyBuckets).
- if (action.kind == ActionKind.BUCKET || action == S3Action.ALL_S3 ||
- action.kind == ActionKind.VOLUME && "*".equals(resourceSpec.bucket))
{ // this handles s3:ListAllMyBuckets
+ if (action.kind == ActionKind.BUCKET ||
+ (action.kind == ActionKind.VOLUME &&
"*".equals(resourceSpec.bucket))) { // this handles s3:ListAllMyBuckets
addAclsForObj(objToAclsMap, volumeObj(volumeName), action.volumePerms);
addAclsForObj(objToAclsMap, bucketObj(volumeName,
resourceSpec.bucket), action.bucketPerms);
+ } else if (action == S3Action.ALL_S3) {
+ // For s3:*, ALL should only apply at the bucket level; grant READ at
volume for navigation
Review Comment:
Fabian, it looks like s3:* can be applied at any level. Please see the
example in this page
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
